audit risk proposed international standards on auditing and proposed amendment to isa 200

IFAC

International

Auditing

and Assurance

Standards Board

October 2002

Exposure Draft

Response Due Date March 31, 2003

Audit Risk

Proposed International Standards on Auditing

and Proposed Amendment to ISA 200, “Objective and

Principles Governing an Audit of Financial Statements”

Issued for Comment by:

The International

Federation of

Accountants

AUDIT RISK

REQUEST FOR COMMENTS

The following exposure drafts and accompanying explanatory memorandum of the International Auditing and Assurance Standards Board (IAASB) were approved for publication in October 2002. The exposure drafts may be modified in the light of comments received before being issued in the form of International Standards on Auditing (ISAs).

(a) Amendment to ISA 200, “Objective and Principles Governing an Audit of Financial Statements;”

(b) ISA XX, “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement;”

(c) ISA XX, “Auditor’s Procedures in Response to Assessed Risks;” and

(d) ISA XX, “Audit Evidence.”

Commentators Guide and Consideration of Specific Issues The IAASB welcomes comments on the exposure drafts. In responding to the exposure drafts, commentators are requested to refer to the specific proposed ISA and relevant paragraphs within the ISA. The responses should include the reasons for the comments including specific suggestions for any proposed changes to wording. The IAASB is seeking comments on all matters addressed in the exposure drafts. In addition, the IAASB is interested in comments on the issues identified in Appendix 3 of the explanatory memorandum. Comments should be submitted so as to be received by March 31, 2003, preferably by e-mail, or on a computer disk or in writing. All comments will be considered a matter of public record and will be posted on IFAC’s website by April 7, 2003. Comments should be addressed to:

Technical Director International Auditing and Assurance Standards Board

535 Fifth Avenue, 26th Floor New York, New York 10017 USA

E-mail responses should be sent to: [email protected] The approved text of these exposure drafts of the IAASB is published in the English language. In order to achieve maximum exposure and feedback, IFAC encourages the reproduction of this publication in any format.

Copyright © October 2002 by the International Federation of Accountants. All rights reserved.

of 11

AUDIT RISK

EXPLANATORY MEMORANDUM TO EXPOSURE DRAFTS

Introduction This memorandum provides some background to, and explanation of, the proposed International Standards on Auditing (ISAs) approved for exposure by the International Auditing and Assurance Standards Board (IAASB). The IAASB believes the proposed ISAs will increase audit quality as a result of better risk assessments and improved design and performance of audit procedures to respond to the risks. The improved linkage of audit procedures and assessed risks is expected to result in a greater concentration of effort on areas where there is greater risk of misstatement. In some cases, this may result in a change to the audit approach, including the audit procedures performed. In many cases, implementation of the proposed ISAs will result in an overall increased work effort by the audit team, particularly for new engagements or when first implemented on continuing engagements. It is also likely that to implement the new requirements will require new skills and competencies, and may increase the need for specialist assistance on audits. Auditors and their professional bodies will need to consider the training needs that will result from the new requirements. The proposed ISAs and the ISAs to be replaced when the proposed ISAs are approved are: Proposed ISA Existing ISA to be replaced Amendment to ISA 200, “Objective and General Principles Governing an Audit of Financial Statements”

Proposed addition only to ISA 200

ISA XX, “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement”

ISA 310, “Knowledge of the Business” ISA 400, “Risk Assessments and Internal Control” ISA 401, “Auditing in a Computer Information Systems Environment”

ISA XX, “The Auditor’s Procedures in Response to Assessed Risks”

ISA 400, “Risk Assessments and Internal Control” ISA 401, “Auditing in a Computer Information Systems Environment”

ISA XX, “Audit Evidence” ISA 500, “Audit Evidence” These proposed ISAs are the product of the Audit Risk project, jointly conducted with the U.S. Auditing Standards Board (ASB). By partnering with the ASB, the IAASB is furthering its goal of integrating the standard setting process with national standard setters in order to promote the convergence and acceptance of an international set of auditing standards. The IAASB believes the proposed Standards are an important step in accomplishing this goal since these Standards establish the basic framework for the audit process.

EXPLANATORY MEMORANDUM TO AUDIT RISK EXPOSURE DRAFTS

Page 2 of 11

Background The business environment is subject to continuous change. Auditing practice likewise changes, and there is a need for standard setters to keep standards under review to ensure that they remain appropriate. Recent change in the business environment has included the way entities are organized and conduct their business; the effects of globalization and technology; the increasing use of judgment and estimates, including fair values, required by accounting standards; and significantly increased pressures that may cause fraudulent financial reporting. The IAASB and the ASB decided that the core auditing Standards should be reviewed in the light of these changes. A significant portion of the results of this review are the new and revised ISAs referred to above. The proposed ISAs include significant changes to improve standards and guidance on the auditor’s performance of audits. This review was additional to the process of continuous review of Standards under which both the IAASB and the ASB are working to improve the quality of audits. Since the initiation of the project, recent major corporate failures have undermined the public’s confidence in the effectiveness of audits and led to an intense scrutiny of the work of auditors. Although the proposed ISAs were not conceived as a direct response to these events, the project’s proposals to improve the overall audit process have been influenced by them and therefore represent part of the IAASB’s contribution to raising standards of audit practice and the consistency of their application around the world. Appendix 1 to this memorandum provides additional background information about this project.

Changes to Existing Requirements The proposed ISAs deal with the core of the audit – the auditor’s assessment of the risk that the financial statements could be wrong, and the way in which the auditor designs the rest of the audit to provide an effective audit response to the identified risks. The approach to the audit required by the proposed ISAs is summarized by the diagram in Appendix 2. Underlying this approach is the “audit risk model”, which is the fundamental statement of the theoretical basis of today’s audit. It is more fully explained in the amendment proposed to ISA 200, “Objective and General Principles Governing an Audit of Financial Statements.” The essentials of the audit risk model remain the same; however, new requirements and expanded guidance are proposed to enhance the auditors’ implementation of the audit risk model. The proposed changes are significant, as described below, and are intended to improve auditor performance. The proposed ISAs deal with their subject matter in different combinations than did the previous ISAs. There is no separate ISA on understanding the business, since the IAASB considered that to combine this with the material on making risk assessments put the purpose of understanding the business into its proper context: it is a central part of the audit, whose importance in the risk assessment process needs to be understood. Previously, ISA 400, “Risk Assessments and Internal Control,” dealt with understanding internal control and with testing controls and substantive testing. The IAASB wished to emphasize the fundamental importance of designing and performing audit procedures to respond to the auditor's risk assessments, and considered that an appropriate way of recognizing this was to make this the subject of a separate ISA. Finally, in responding to the fact that computer systems are


Page 3 of 11

generally now the rule rather than the exception, their use has been assumed in the proposed ISAs so that a separate ISA such as the current ISA 401, “Auditing in a Computer Information Systems Environment,” was unnecessary.

Significant Changes and Effect on the Auditor’s Work Significant changes in the proposed ISAs and the way they are expected to affect the auditor’s work are discussed below. In overview, they relate to the following:

• The auditor is required to obtain an enhanced understanding of the entity’s business. The auditor is required to perform audit procedures to obtain a broader and deeper understanding of specified aspects of the entity and its environment, including its internal control.

• The auditor is required to make risk assessments in all cases. The required understanding of the entity provides a better basis for identifying risks of material misstatement at the financial statement level and in classes of transactions, account balances and disclosures. The auditor is required to perform a more rigorous assessment in relating the identified risks to what can go wrong at the assertion level. By requiring the auditor to make risk assessments in all audits, the auditor can no longer default to a high risk assessment.

• The auditor is required to link the identified risks to audit procedures. In designing and performing further audit procedures, the nature, timing and extent of the procedures are linked to the assessed risks.

• The auditor is required to document specific matters. The proposed documentation requirements are more specific, since the IAASB recognizes the importance of documentation in driving better performance of the audit.

The details of the more significant changes are outlined below. The explanation of significant changes is a summary of the main effects of the proposed Standards. It is essential to read the proposed ISAs in their entirety for a full appreciation of their effect on the auditor’s work. Expanded understanding of the entity. Proposed ISA XX, “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement,” specifies and expands upon what the auditor must understand about the entity whose financial statements are being audited. In particular, the auditor is required to obtain an understanding of business risks1 to the extent that they are relevant to the financial statements. Sources of understanding and procedures for obtaining it. The proposed ISAs include requirements and guidance on where and how the auditor should obtain the required understanding. These new requirements are intended to provide rigor and substance to the auditor’s procedures and to improve the auditor’s knowledge by requiring the auditor to look beyond those involved in financial reporting and management to those with operational roles 1 Business risks are discussed in paragraph 36 of proposed ISA XX, “Understanding the Entity and Its

Environment and Assessing the Risks of Material Misstatement,” as resulting from significant conditions, events, circumstances or actions that could adversely affect the entity’s ability to achieve its objectives and execute its strategies.


Page 4 of 11

within the entity. In addition, the proposals emphasize that the information obtained during this phase of the auditor’s work may constitute valid audit evidence which contributes to the auditor’s opinion but is not sufficient, in and of itself, to support the auditor’s opinion. The audit procedures undertaken to obtain the necessary understanding are referred to as “risk assessment procedures.” Discussion among audit team. The members of the audit team are required to discuss the susceptibility of the entity’s financial statements to fraud or error. This reinforces the requirement for the audit team to discuss fraud and error risks, introduced in ISA 240, “The Auditor’s Responsibility to Consider Fraud and Error in an Audit of Financial Statements.”2 The purpose of this requirement is to encourage the team to share information and ideas so that the collective wisdom of the team can be brought to bear on the risk identification process. Internal control3 – increased requirements and guidance. The requirements and guidance related to internal control have been substantially increased including specification of the components that comprise internal control, the extent of the required understanding of each of the components of internal control, and the auditor’s procedures to obtain an understanding of internal control.

• Internal control components of which an understanding is required now include the entity’s risk assessment process and its monitoring of controls. This change, along with increased guidance on the entity’s control environment, is intended to assist the auditor in better understanding the role that management and those charged with governance have in the entity’s overall internal control and how such controls may affect the auditor’s procedures.

• In understanding the entity’s internal control, the auditor is required to evaluate the design of controls and determine whether they have been implemented. This level of understanding is greater than that previously required. In particular, evaluation of the design and determination of the implementation of controls that address significant risks and controls that relate to assertions for which substantive procedures alone is not sufficient is required.4 In obtaining this level of understanding of internal control, the auditor is more likely to identify controls that are of relevance to the audit and is consequently encouraged to plan reliance on such controls.

2 The IAASB has a project on its agenda to reconsider ISA 240. 3 Internal control as discussed in paragraph 51 of proposed ISA XX, “Understanding the Entity and Its

Environment and Assessing the Risks of Material Misstatement,” includes the control environment, the entity’s risk assessment process, the information system and related business processes relevant to financial reporting and communication, control procedures and monitoring of controls. These components are derived from the “Internal Control-Integrated Framework” published by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission. This model may be revisited as part of the U.S. profession’s response to the requirements of the Sarbanes-Oxley Act, and the IAASB will be monitoring such developments.

4 For situations where substantive procedures alone are not sufficient to reduce the risk of material

misstatement at the assertion level to an acceptably low level, paragraph 23 of proposed ISA XX, “The Auditor’s Procedures in Response to Assessed Risks,” also requires the auditor to perform tests of controls to obtain audit evidence about their operating effectiveness.


Page 5 of 11

Assessing the risks of material misstatement. In obtaining a broader understanding of the entity and its environment, including its internal control, the auditor has a better basis for identifying risks of material misstatement. The auditor’s assessment is supported by the audit evidence obtained from the risk assessment procedures. In performing the risk assessment, the auditor is required to assess the risks of material misstatement at the assertion level, identify risks that are significant in the auditor’s judgment, and identify assertions where substantive procedures alone will not be sufficient. The proposed ISAs describe risk assessment as a combined assessment of inherent and control risk. The auditor may perform combined or separate assessments. Responding to risks of material misstatement. The auditor’s procedures should be responsive to the assessed risks and reduce audit risk to an appropriately low level. The auditor responds to risks at the financial statement level and the assertion level. Because of the nature of risks at the financial statement level, the auditor is required to determine overall responses, such as assigning audit staff with special skills or incorporating additional elements of unpredictability in the selection of audit procedures to address such risks. In responding to the risks of material misstatement at the assertion level, the nature, timing and extent of the auditor’s procedures need to be clearly linked to the assessed risks. Proposed ISA XX, “The Auditor’s Procedures in Response to Assessed Risks,” emphasizes the nature of the procedures in determining the response to the assessed risks. Testing the operating effectiveness of controls. In evaluating the entity’s internal control, the auditor may identify controls and plan to rely on the effectiveness of such controls. For such controls, consistent with current ISAs, the auditor tests that the controls are operating effectively at relevant times during the audit. Proposed ISA XX, “The Auditor’s Procedures in Response to Assessed Risks,” contains new guidance concerning the use of audit evidence of the effectiveness of controls obtained in previous audits, including:

• If the auditor intends to rely on controls that have not changed (based on the auditor’s evaluation of design and whether in operation in the current period) since they were last tested, the auditor tests the operating effectiveness of such controls at least every third audit. The longer the time elapsed since a control is tested, the less audit evidence the control may provide about its effectiveness in the current year.

• For a significant risk, where the auditor plans to rely on the operating effectiveness of controls intended to mitigate the risk, the auditor obtains audit evidence about the operating effectiveness of relevant controls in the current period.

Substantive procedures. A new requirement is that for significant risks the auditor must perform substantive procedures that are specifically responsive to the risks. Although there is no change to the current requirement to perform substantive procedures for material classes of transactions and account balances, the requirement has been extended to disclosures given their increased significance under financial reporting frameworks. Evaluating the sufficiency and appropriateness of audit evidence. The sufficiency and appropriateness of audit evidence obtained is a matter of professional judgment. Proposed ISA XX, “The Auditor’s Procedures in Response to Assessed Risks,” provides additional guidance in performing this evaluation. If the auditor is unable to obtain sufficient and


Page 6 of 11

appropriate audit evidence, the auditor expresses a qualified opinion or a disclaimer of opinion. Documentation requirements. Both proposed ISA XX, “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement,” and ISA XX, “The Auditor’s Procedures in Response to Assessed Risks,” expand the documentation requirements. Some of the additional documentation requirements include:

• Details of each aspect of the understanding of the entity and its environment obtained (including internal control);

• The procedures performed to obtain the understanding including the sources of information;

• The results of the risk assessments both at the financial statement and assertion levels;

• The nature, timing and extent of the auditor’s procedures; and

• The linkage with the assessed risks and the results of the audit procedures.

Small Entities ISAs are developed to apply to all entities and the proposed ISAs have been drafted on this basis. While some aspects may seem more applicable to larger entities (e.g., the requirement to consider the entity’s risk assessment process, the importance of governance arrangements and monitoring of controls), the underlying considerations and objectives are equally relevant to small entities. In such cases, the relevant processes may be simpler, but the aspects of a business to which they refer are equally important, though the means of dealing with them may be different and less formal. The effect is that, while they should be considered by all auditors, in the case of the small entity the auditor may find that some matters may be understood quite readily. The IAASB believes that in some cases auditors of small entities may already have an understanding close to that required by the proposed ISAs, and that the principal effect of the proposals will be to require the auditor to use that understanding in a more effective way. The IAASB is, however, aware that additional guidance may be necessary for audits of small entities. It has therefore approved a project to consider the effect of the proposed ISAs on International Auditing Practice Statement (IAPS) 1005, “The Special Considerations in the Audit of Small Entities,” and to make proposals about whether to incorporate relevant guidance in the ISAs or a revision of the IAPS.

Conforming Changes The proposed ISAs will have the most effect on the auditor’s risk assessment process and in performing further audit procedures based on the risk assessment. However, the proposals will also affect other aspects of the audit. Therefore, when these proposed ISAs are approved, other ISAs will require revision for conformity and consistency. The IAASB believes that the proposed ISAs will require significant conforming changes to:

• ISA 240, “The Auditor’s Responsibility to Consider Fraud and Error in an Audit of Financial Statements;”


Page 7 of 11

• ISA 300, “Planning;”

• ISA 520, “Analytical Procedures;”

• ISA 530, “Audit Sampling and Other Selective Testing Procedures;” and

• ISA 540, “Audit of Accounting Estimates.” IAASB will continue to work on conforming changes during the exposure period.


Page 8 of 11

Appendix 1: Background to the Project

JOINT WORKING GROUP REPORT AND THE U.S. PUBLIC OVERSIGHT BOARD REPORT The project was heavily influenced by the findings and recommendations of the Joint Working Group5 (JWG) and the U.S. Public Oversight Board’s Panel on Audit Effectiveness (POB). In May 2000, the JWG published the results of its research in the report, “Developments in the Audit Methodologies of Large Accounting Firms.” Since the initiation of the original research project, the POB issued a report in August 2000 on an extensive study of audit effectiveness. Both reports indicated that the fundamental audit risk model was not broken, but certain changes were needed. Where appropriate, the recommendations of the JWG and the POB have been adopted.

JOINT RISK ASSESSMENTS TASK FORCE Both the IAASB and the ASB had projects to respond to the changes in the audit environment and to consider the recommendations of the JWG and the POB respectively. As the IAASB and ASB faced similar issues and had a common purpose of improving audit quality, the two bodies formed the Joint Risk Assessments Task Force to develop a common set of auditing standards. By partnering with the ASB, the IAASB is furthering its goal of integrating the standard setting process with national standard setters in order to promote the convergence and acceptance of an international set of auditing standards. The IAASB believes the proposed standards are an important step in accomplishing this goal since these standards establish the basic framework for the audit process. The ASB will be issuing proposed Statements on Auditing Standards (SASs) that are the proposed ISAs modified to conform to certain specific U.S. requirements. The proposed ISAs and the proposed SASs are therefore expected to be the same in substance, except to the extent of additional requirements that are included in the U.S. versions to conform with other U.S. standards.

5 In 1998, a Joint Working Group made up of standards setters and academics from Canada, the United

Kingdom and the United States was formed to research and understand developments relevant to auditing and to enable standards setters to consider the need for consequent revisions of auditing standards.


Page 9 of 11

Appendix 2: Overview of the Proposed ISAs

Perform risk assessment proceduresPerform audit procedures to understand the entity and its environment:

• Industry, regulatory, and other external factors including applicable financial reporting framework

• Nature of the entity• Objectives and strategies and related business risks• Measurement and review of the entity’s financial

performance• Internal control

Evaluate audit evidence obtainedEvaluate whether sufficient and appropriate audit evidence has been obtained.

See paragraphs 58 to 64 of ISA XX, “The Auditor’s Procedures in Response to Assessed Risks”

Perform further audit proceduresPerform further audit procedures that are clearly linked to risks at the assertion level by:

• Performing tests of the operating effectiveness of controls • Performing substantive procedures


Respond to assessed risksRespond to the risks at the financial statement level and assertion level by:

• Developing overall responses to the assessed risks at the financial statement level; and

• Determining the nature, timing and extent of further audit procedures at the assertion level


Assess the risks of material misstatementAssess the risks of material misstatement at the financial statement level and the assertion level by:• Identifying risks through considering

- the entity and its environment, including its internal control- classes of transactions, account balances and disclosures

• Relating the identified risks to what can go wrong at the assertion level

• Considering the significance and likelihood of the risks

See paragraphs 95 to 114 of ISA XX, “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement”


Perform risk assessment proceduresPerform audit procedures to understand the entity and its environment:

• Industry, regulatory, and other external factors including applicable financial reporting framework

• Nature of the entity• Objectives and strategies and related business risks• Measurement and review of the entity’s financial

performance• Internal control

Evaluate audit evidence obtainedEvaluate whether sufficient and appropriate audit evidence has been obtained.


Perform further audit proceduresPerform further audit procedures that are clearly linked to risks at the assertion level by:

• Performing tests of the operating effectiveness of controls • Performing substantive procedures


Respond to assessed risksRespond to the risks at the financial statement level and assertion level by:

• Developing overall responses to the assessed risks at the financial statement level; and

• Determining the nature, timing and extent of further audit procedures at the assertion level


Assess the risks of material misstatementAssess the risks of material misstatement at the financial statement level and the assertion level by:• Identifying risks through considering

- the entity and its environment, including its internal control- classes of transactions, account balances and disclosures

• Relating the identified risks to what can go wrong at the assertion level

• Considering the significance and likelihood of the risks




Page 10 of 11

Appendix 3: Commentators Guide to Issues The IAASB welcomes comments on any aspect of the exposure drafts including aspects of the individual proposed ISA, as well as the proposed ISAs taken as a whole. In responding to the exposure drafts, commentators are requested to refer to the specific proposed ISA and relevant paragraphs within the ISA. The responses should include the reasons for the comments and specific suggestions for any proposed changes to wording amendments. While the IAASB is seeking comments on all matters addressed in the exposure drafts, the IAASB is interested in comments on the following issues:

GENERAL ISAs are drafted to contain basic principles and essential procedures together with related guidance that apply to the audits of financial statements of any entity, irrespective of its size. However, the IAASB recognizes that the audit of small entities may give rise to certain special audit considerations. Are there such special audit considerations in applying the standards and guidance contained in proposed ISA XX, “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement,” and proposed ISA XX, “The Auditor’s Procedures in Response to Assessed Risks”? If so, include details of such considerations. (The IAASB will take any comments made in response to this request when taking forward its project to consider the effect of the proposed ISAs on IAPS 1005, “The Special Considerations in the Audit of Small Entities,” and to make proposals about whether to incorporate relevant guidance in the ISAs or revision of IAPS 1005.)

ISA XX, “UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT” Paragraphs 50 through 94 deals with internal control including the requirement to obtain an understanding of the components of internal control and guidance on obtaining the understanding. Appendix 2 contains further guidance to assist the auditor in understanding the components of internal control, including their application to small entities. Is this additional guidance helpful, or is there sufficient material within the ISA itself? In considering this question, commentators should assume that the paragraphs relating to small entities will be retained whether in the Appendix or elsewhere.

ISA XX, “THE AUDITOR’S PROCEDURES IN RESPONSE TO ASSESSED RISKS” Where the auditor plans to rely on controls that have not changed since they were last tested, paragraph 38 requires the auditor to test the operating effectiveness of such controls at least every third audit. The IAASB discussed whether it was appropriate to impose such a limit on


Page 11 of 11

the ability of the auditor to use audit evidence obtained in a prior audit. The alternative view is that the period for such reliance should be left to the auditor’s judgment. Is it appropriate for the ISA to specify a time period, and if so, is every third audit an appropriate limit? If not, please indicate what time period, if any, is considered more appropriate.

DOCUMENTATION Proposed ISAs XX, “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement,” and ISA XX, “The Auditor’s Procedures in Response to Assessed Risks,” include detailed documentation requirements. The IAASB considers that documentation requirements are important as a means of ensuring that auditors comply with significant requirements of the standards. The requirements are more extensive than previously. Do commentators agree that it is appropriate for the IAASB to establish detailed documentation requirements? Are the proposals practical? If not, what suggestions do you have for documentation that achieves the objective of improving compliance with standards?

IFAC

International

Auditing

and Assurance

Standards Board

October 2002

Exposure Draft


Amendment to ISA 200,

“Objective and Principles

Governing an Audit of Financial

Statements” Proposed Amendment to International Standard on Auditing


The International

Federation of

Accountants

AMENDMENT TO ISA 200, “OBJECTIVE AND GENERAL PRINCIPLES GOVERNING AN AUDIT OF FINANCIAL STATEMENTS”

Page 1 of 5

CONTENTS

Paragraphs Introduction ................................................................................................................. 1

Objective of an Audit ................................................................................................. 2-3

General Principles of an Audit ................................................................................... 4-6

Scope of an Audit ....................................................................................................... 7

Reasonable Assurance ................................................................................................ 8-11

Audit Risk and Materiality.......................................................................................... 12-22

Responsibility for the Financial Statements ............................................................... 23

International Standards on Auditing (ISAs) are to be applied in the audit of financial statements. ISAs are also to be applied, adapted as necessary, to the audit of other information and to related services. ISAs contain the basic principles and essential procedures (identified in bold type black lettering) together with related guidance in the form of explanatory and other material. The basic principles and essential procedures are to be interpreted in the context of the explanatory and other material that provide guidance for their application. To understand and apply the basic principles and essential procedures together with the related guidance, it is necessary to consider the whole text of the ISA including explanatory and other material contained in the ISA not just that text which is black lettered. In exceptional circumstances, an auditor may judge it necessary to depart from an ISA in order to more effectively achieve the objective of an audit. When such a situation arises, the auditor should be prepared to justify the departure. ISAs need only be applied to material matters.

The Public Sector Perspective (PSP) issued by the Public Sector Committee of the International Federation of Accountants is set out at the end of an ISA. Where no PSP is added, the ISA is applicable in all material respects to the public sector.


Page 2 of 5

Conforming changes to the existing standards and guidance in paragraphs 1 through 11 have not yet been considered. As changes have not been made to these paragraphs, they have not been reproduced here. The following represents the proposed addition to ISA 200.

Audit Risk and Materiality 12. Entities pursue strategies to achieve their objectives, and depending on the nature of their

operations and industry, the regulatory environment in which they operate, and their size and complexity, they face a variety of business risks. Management is responsible for identifying such risks and responding to them. However, not all risks relate to the preparation of the financial statements. The auditor is concerned only with risks that may affect the financial statements.

13. The auditor obtains and evaluates audit evidence to obtain reasonable assurance about

whether the financial statements give a true and fair view (or are presented fairly, in all material respects) in accordance with the applicable financial reporting framework. The concept of reasonable assurance acknowledges that there is a risk the audit opinion is inappropriate. The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated is known as “audit risk.”1

14. The auditor should plan and perform the audit to reduce audit risk to an

acceptably low level. The auditor reduces audit risk to an acceptably low level by designing and performing audit procedures to obtain sufficient appropriate audit evidence to be able to draw reasonable conclusions on which to base an audit opinion.

15. Audit risk is a function of the risk of material misstatement of the financial statements

(or simply, the “risk of material misstatement”) (i.e., the risk that the financial statements are materially misstated prior to audit) and the risk that the auditor will not detect such misstatement (“detection risk”). The auditor performs audit procedures to assess the risk of material misstatement and seeks to limit or restrict detection risk by performing further audit procedures based on that assessment (see ISA XX, “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement,” and ISA XX, “The Auditor’s Procedures in Response to Assessed Risks”). The audit process involves the exercise of professional judgment in designing the audit approach, through focusing on what can go wrong (i.e., what are the potential misstatements that may arise) at the assertion level (see ISA XX, “Audit Evidence”).

16. The auditor is concerned only with material misstatements, and is not responsible for the

detection of misstatements that are not material to the financial statements taken as a

1 This definition of audit risk does not include the risk that the auditor might erroneously conclude that the

financial statements are materially misstated. In such a situation, the auditor ordinarily reconsiders or extends audit procedures and requests that management perform specific tasks to reevaluate the appropriateness of the financial statements. These steps ordinarily lead the auditor to the correct conclusion. This definition also excludes the risk of an inappropriate reporting decision unrelated to the detection and evaluation of a misstatement in the financial statements, such as an inappropriate decision regarding the form of the auditor’s report because of a limitation of scope of the audit.


Page 3 of 5

whole. Materiality and audit risk are related (see ISA 320, “Audit Materiality”). The auditor considers risk and materiality at two levels: the overall financial statement level and in relation to the individual classes of transactions, account balances and disclosures and the related assertions.

17. The auditor considers the risk of material misstatement at the overall financial statement

level, which refers to risks of material misstatement that relate pervasively to the financial statements as a whole and potentially affect many assertions. Risks of this nature often relate to the entity’s control environment, and are not necessarily risks identifiable with specific assertions at the class of transaction, account balance or disclosure level. Rather, this overall risk represents circumstances that increase the risk that there could be material misstatements in any number of different assertions, for example, through management override of internal control. Such risks may be especially relevant to the auditor’s consideration of the risk of material misstatement arising from fraud. The auditor’s consideration of the risk of material misstatement at the overall financial statement level includes consideration of the knowledge, skill, and ability of personnel assigned significant engagement responsibilities, including whether to involve experts; the appropriate levels of supervision; and whether there are events or conditions that may cast significant doubt on the entity’s ability to continue as a going concern.

18. The auditor also considers the risk of material misstatement at the individual class of

transaction, account balance and disclosure level because such consideration directly assists in determining the nature, timing, and extent of further audit procedures at the assertion level. The auditor seeks to restrict risks at the individual class of transaction, account balance and disclosure level in such a way that enables the auditor, at the completion of the audit, to express an opinion on the financial statements taken as a whole at an acceptably low level of audit risk. Auditors use various approaches to accomplish that objective.2

19. The discussion in the following paragraphs provides an explanation of the components of

audit risk. The risk of material misstatement at the assertion level consists of two components as follows:

• “Inherent risk” is the susceptibility of an assertion to a material misstatement, assuming that there are no related controls. The risk of such misstatement is greater for some assertions and related classes of transactions, account balances and disclosures than for others. For example, complex calculations are more likely to be misstated than simple calculations. Accounts consisting of amounts derived from accounting estimates pose greater risks than do accounts consisting of relatively routine, factual data. External circumstances also influence inherent risk. For example, technological developments might make a particular product obsolete, thereby causing inventory to be more susceptible to overstatement. In addition to those circumstances that are peculiar to a specific assertion for a class of

2 The auditor may make use of a model that expresses the general relationship of the components of audit

risk in mathematical terms to arrive at an appropriate level of detection risk. Some auditors find such a model to be useful when planning audit procedures to achieve a desired audit risk though the use of such a model does not eliminate the judgment inherent in the audit process.


Page 4 of 5

transactions, account balance or disclosure, factors in the entity and its environment that relate to several or all of the classes, balances or disclosures may influence the inherent risk related to an assertion for a specific class, balance or disclosure. These latter factors include, for example, a lack of sufficient working capital to continue operations or a declining industry characterized by a large number of business failures.

• “Control risk” is the risk that a material misstatement that could occur in an assertion will not be prevented, or detected and corrected, on a timely basis by the entity’s internal control. That risk is a function of the effectiveness of the design and operation of internal control in achieving the entity’s objectives relevant to preparation of the entity’s financial statements. Some control risk will always exist because of the inherent limitations of internal control.

20. Inherent risk and control risk are the entity’s risks, and they exist independently of the

audit of the financial statements. The auditor is required to assess the risk of material misstatement at the assertion level as a basis for further audit procedures, though that assessment is a judgment, rather than a precise measurement of risk. The ISAs do not ordinarily refer to inherent risk and control risk separately, but rather to a combined assessment of the “risk of material misstatement.” Although the ISAs ordinarily describe a combined assessment of the risk of material misstatement, the auditor may make separate or combined assessments of inherent and control risk depending on preferred audit techniques or methodologies and practical considerations. The assessment of the risk of material misstatement may be made in quantitative terms, such as in percentages, or in non-quantitative terms across a range. In any case, the need for the auditor to make appropriate risk assessments is more important than the different approaches by which they may be made.

21. “Detection risk” is the risk that the auditor will not detect a material misstatement that

exists in an assertion. Detection risk is a function of the effectiveness of an audit procedure and of its application by the auditor. It arises partly from the fact that the auditor usually does not examine all of a class of transactions, account balance or disclosure and partly because of other uncertainties. Such other uncertainties arise because an auditor might select an inappropriate audit procedure, misapply an appropriate audit procedure, or misinterpret the audit results. These other uncertainties ordinarily can be reduced to a negligible level through adequate planning, proper assignment of audit staff and supervision and review of the audit work performed.

22. Detection risk relates to the nature, timing and extent of the auditor's procedures that are

determined by the auditor to reduce audit risk to an acceptably low level. Detection risk bears an inverse relationship to the assessment of the risk of material misstatement at the assertion level. The greater the risk of material misstatement the auditor believes exists, the less the detection risk that can be accepted. Conversely, the less risk of material misstatement the auditor believes exist, the greater the detection risk that can be accepted.


Page 5 of 5

Responsibility for the Financial Statements 12 23. While the auditor is responsible for forming and expressing an opinion on the

financial statements, the responsibility for preparing and presenting the financial statements is that of the management of the entity. The audit of the financial statements does not relieve management of its responsibilities.

IFAC

International

Auditing

and Assurance

Standards Board

October 2002

Exposure Draft


Understanding the Entity and Its

Environment and Assessing the

Risks of Material Misstatement Proposed International Standard on Auditing


The International

Federation of

Accountants

ISA XX, “UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT”

Page 1 of 43

CONTENTS

Paragraphs Introduction ................................................................................................................. 1–6

Risk Assessment Procedures and Sources of Information About the Entity and Its Environment, Including Its Internal Control ....................................................... 7-25

Risk Assessment Procedures ............................................................................... 8-17

Discussion Among the Audit Team ..................................................................... 18-22

Sources of Information About the Entity and Its Environment, Including Its Internal Control ................................................................................................... 23-25

Understanding the Entity and Its Environment, Including Its Internal Control .......... 26-94

Industry, Regulatory and Other External Factors, Including the Applicable Financial Reporting Framework.......................................................................... 28-31

Nature of the Entity ............................................................................................. 32-35

Objectives and Strategies and Related Business Risks ....................................... 36-44

Measurement and Review of the Entity’s Financial Performance ...................... 45-49

Internal Control ................................................................................................... 50-94

Controls Relevant to the Audit ..................................................................... 56-60

Effect of Information Technology on Internal Control ................................ 61-65

Limitations of Internal Control..................................................................... 66-67

Control Environment.................................................................................... 68-75

Information System and Related Business Processes Relevant to Financial Reporting and Communication..................................................... 76-82

Control Procedures ....................................................................................... 83-89

Monitoring of Controls................................................................................. 90-94

Assessing the Risks of Material Misstatement............................................................ 95-114

Significant Risks That Require Special Audit Consideration.............................. 104-109

Risks for Which Substantive Procedures Alone Do Not Provide Sufficient Appropriate Audit Evidence ............................................................... 110-113

Revision of Risk Assessment …………………………………………………. 114

Communicating With Those Charged With Governance or Management .................. 115-116

Documentation ............................................................................................................ 117-119

Effective Date.............................................................................................................. 120


Page 2 of 43

Appendix 1: Understanding the Entity and Its Environment

Appendix 2: Internal Control Components

Appendix 3: Conditions and Events that May Indicate Risks of Material Misstatement

International Standards on Auditing (ISAs) are to be applied in the audit of financial statements. ISAs are also to be applied, adapted as necessary, to the audit of other information and to related services. ISAs contain the basic principles and essential procedures (identified in bold type black lettering) together with related guidance in the form of explanatory and other material. The basic principles and essential procedures are to be interpreted in the context of the explanatory and other material that provide guidance for their application. To understand and apply the basic principles and essential procedures together with the related guidance, it is necessary to consider the whole text of the ISA including explanatory and other material contained in the ISA, not just that text which is black lettered. In exceptional circumstances, an auditor may judge it necessary to depart from an ISA in order to more effectively achieve the object of an audit. When such a situation arises, the auditor should be prepared to justify the departure. ISAs need only be applied to material matters. The Public Sector Perspective (PSP) issued by the Public Sector Committee of the International Federation of Accountants is set out at the end of an ISA. Where no PSP is added, the ISA is applicable in all material respects to the public sector.


Page 3 of 43

Introduction 1. The purpose of this International Standard on Auditing (ISA) is to establish standards and

provide guidance on obtaining an understanding of the entity and its environment, including its internal control, and on assessing the risks of material misstatement in a financial statement audit. The importance of the auditor’s risk assessment as a basis for further audit procedures is discussed in the explanation of audit risk in ISA 200, “Objective and General Principles Governing an Audit of Financial Statements.” This standard requires the auditor to make risk assessments at the financial statement and assertion levels based on an appropriate understanding of the entity and its environment, including its internal control.

2. The following is an overview of the requirements of this standard:

• Risk assessment procedures and sources of information about the entity and its environment, including its internal control. This section requires the auditor to perform specific audit procedures to obtain the understanding and provides for the auditor to use information obtained in prior audits after considering the relevance of that information for the current audit. This section also requires discussion among the audit team about the susceptibility of the entity’s financial statements to material misstatement.

• Understanding the entity and its environment, including its internal control. This section requires the auditor to understand specified aspects of the entity and its environment, and components of its internal control, in order to assess the risks of material misstatement.

• Assessing the risks of material misstatement. This section requires the auditor to assess the risks of material misstatement at the financial statement and assertion levels. The auditor: o Identifies risks by considering the entity and its environment, including

relevant controls that relate to the risks, and by considering the classes of transactions, account balances and disclosures in the financial statements.

o Relates the identified risks to what can go wrong at the assertion level.

o Considers the significance and likelihood of the risks.

This section also requires the auditor to identify significant risks that require special audit consideration and risks for which substantive procedures alone do not provide sufficient appropriate audit evidence. The auditor is required to evaluate the design of the entity’s controls, including relevant control procedures, over such risks and determine whether they have been implemented.

• Communicating with those charged with governance or management. This section deals with matters relating to internal control that the auditor communicates to those charged with governance or management.

• Documentation. This section establishes related documentation requirements.


Page 4 of 43

3. The requirements and guidance of this standard are to be applied in conjunction with the requirements and guidance provided in other ISAs. In particular, the auditor’s considerations relevant to fraud are discussed in ISA 240, “The Auditor’s Responsibility to Consider Fraud and Error in an Audit of Financial Statements.”

4. The auditor should obtain an understanding of the entity and its environment,

including its internal control, that is sufficient to assess the risks of material misstatement of the financial statements whether due to fraud or error, and sufficient to design and perform further audit procedures. This ISA discusses the auditor’s responsibility for assessing the risks of material misstatement. ISA XX, “The Auditor’s Procedures in Response to Assessed Risks,” discusses the auditor’s responsibility to determine overall responses and to design and perform further audit procedures whose nature, timing and extent are responsive to the risk assessments.

5. Obtaining an understanding of the entity and its environment is an essential part of

planning and performing an audit in accordance with ISAs. In particular, that understanding establishes a frame of reference within which the auditor exercises professional judgment about assessing risks of material misstatement of the financial statements and responding to those risks throughout the audit, for example when:

• Considering the appropriateness of the accounting policies applied and the adequacy of financial statement disclosures.

• Identifying areas where special audit consideration may be necessary, for example, factors indicative of fraud, related party transactions, the need for special skills or the work of an expert, the appropriateness of management’s use of the going concern assumption, or considering the business purpose of transactions.

• Establishing materiality and evaluating whether the judgment about materiality remains appropriate as the audit progresses.

• Developing expectations for use when performing analytical procedures.

• Designing and performing further audit procedures to reduce audit risk to an acceptably low level.

• Evaluating audit evidence, including the reasonableness of accounting estimates and of management’s oral and written representations.

6. The auditor uses professional judgment to determine the extent of the understanding

required of the entity and its environment, including its internal control. The auditor’s primary consideration is whether the understanding that has been obtained is sufficient to assess the risks of material misstatement of the financial statements. The depth of understanding that is required by the auditor in performing the audit is ordinarily less than that possessed by management in managing the entity.


Page 5 of 43

Risk Assessment Procedures and Sources of Information About the Entity and Its Environment, Including Its Internal Control 7. Obtaining an understanding of the entity and its environment, including its internal

control, is a continuous, dynamic process of gathering, updating and analyzing information throughout the audit. As described in ISA XX, “Audit Evidence,” audit procedures to obtain an understanding are referred to as “risk assessment procedures” because some of the information obtained by performing such procedures may be used by the auditor as audit evidence to support assessments of the risks of material misstatement of the financial statements. In addition, in performing risk assessment procedures, the auditor may obtain audit evidence about classes of transactions, account balances or disclosures and related assertions and about the operating effectiveness of controls, even though such audit procedures were not specifically planned as substantive procedures or as tests of controls. The auditor also may choose to perform substantive procedures or tests of controls concurrently with risk assessment procedures because it is efficient to do so.

RISK ASSESSMENT PROCEDURES 8. To obtain an understanding of the entity and its environment, including its internal

control, the auditor should perform the following risk assessment procedures:

(a) Inquiries of management and others within the entity;

(b) Analytical procedures; and

(c) Observation and inspection.

In addition, the auditor performs other audit procedures as appropriate. 9. Although much of the information the auditor obtains by inquiries can be obtained from

management and those responsible for financial reporting, other personnel possess information that is relevant to the auditor’s understanding of the entity and its environment. Making inquiries of others within the entity may also be useful in providing the auditor with a perspective different from that of management and those responsible for financial reporting. Others may include, for example:

• Internal audit personnel.

• Production, marketing, sales, and other personnel.

• Employees with different levels of authority.

• Employees involved in initiating, processing or recording complex or unusual transactions.

• In-house legal counsel.

• Those charged with governance. 10. In determining the others within the entity to whom inquiries may be directed, and the

extent of those inquiries, the auditor considers what information may be obtained that helps the auditor in identifying risks of material misstatement. For example, inquiries


Page 6 of 43

directed toward in-house legal counsel may relate to such matters as litigation, compliance with laws and regulations, warranties, post-sales obligations, and the meaning of contract terms. Inquiries directed toward internal audit personnel may relate to their activities concerning the design and effectiveness of the entity’s internal control and whether management has satisfactorily responded to any findings from these activities. Inquiries directed towards sales personnel may relate to changes in the entity’s sales trends or contractual arrangements with major customers.

11. The auditor also considers whether inquiries of others outside the entity may be helpful

in obtaining an understanding of the entity and its environment and in identifying risks of material misstatement. For example, the auditor may consider that in a particular case it is appropriate to make inquiries of the entity’s external legal counsel, customers, suppliers, or valuation specialists that the entity has used.

12. The auditor applies analytical procedures to assist in understanding the entity and its

environment (see ISA 520, “Analytical Procedures”). Analytical procedures may be helpful in identifying the existence of unusual transactions or events, and amounts, ratios, and trends that might indicate matters that have financial statement and audit planning implications. In performing analytical procedures in planning the audit, the auditor develops expectations about plausible relationships that are reasonably expected to exist, based on the auditor’s understanding of the entity and its environment. When comparison of those expectations with recorded amounts or ratios developed from recorded amounts yields unusual or unexpected relationships, the auditor considers those results in identifying the risks of material misstatement. However, because such analytical procedures ordinarily use data aggregated at a high level, the results of those analytical procedures only provide a broad initial indication about whether a material misstatement of the financial statements may exist. Accordingly, the auditor considers the results of analytical procedures performed during planning along with other information gathered in identifying the risks of material misstatement.

13. Observation and inspection may support inquiries of management and others, and also

provide information about the entity and its environment. Such audit procedures include:

• Observation of entity activities and operations.

• Review or inspection of documents, records, and controls manuals.

• Visits to the entity’s premises and plant facilities.

• Reviewing written business plans and strategies.

• Tracing transactions through the information system relevant to financial reporting (walk-throughs).

14. The auditor uses other audit procedures as appropriate, such as reading about industry

developments and trends, reading the current year’s interim financial statements and reviewing regulatory or financial publications.


Page 7 of 43

15. The nature, timing and extent of the risk assessment procedures to obtain the understanding depend on the circumstances of the engagement such as the size and complexity of the entity and the auditor's experience with it.

16. Larger, more complex entities may operate in many countries, engage in complex

business transactions, and use sophisticated internal control and information technology(IT).1 In such entities, auditors may need to perform more extensive risk assessment procedures or make use of staff or others with special skills to obtain an understanding of the entity and its environment sufficient to identify and assess the risks of material misstatement of the financial statements.

17. Smaller, less complex entities that offer a limited range of products or services may often

have simpler organizational structures, systems and controls. In such entities, auditors may obtain a sufficient understanding of the entity and its environment by performing less extensive risk assessment procedures. However, smaller entities may be involved in complex transactions or be subject to legal and regulatory requirements also found in larger entities. Similarly, a small entity may use sophisticated applications of IT in its information systems. In such circumstances, the auditor may need to perform more extensive audit procedures to obtain an understanding of the entity and its environment sufficient to identify and assess the risks of material misstatement of the financial statements.

DISCUSSION AMONG THE AUDIT TEAM 18. The members of the audit team should discuss the susceptibility of the entity to

material misstatements of the financial statements. 19. An objective of the discussion2 is to provide an opportunity for more experienced audit

team members, including the auditor with final responsibility for the audit, to share their insights based on their knowledge of the entity and its environment, including its internal control, and for the team members to exchange information about the business risks3 to which the entity is subject and about how and where the financial statements might be susceptible to material misstatement. As required by ISA 240, “The Auditor’s Responsibility to Consider Fraud and Error in an Audit of Financial Statements,” particular emphasis is given to the susceptibility of the entity’s financial statements to fraud. The discussion also addresses application of the identified financial reporting framework to the entity’s facts and circumstances and in light of the entity’s accounting policies. Based on these discussions, members of the audit team may gain a better

1 Information technology (IT) encompasses automated means of originating, processing, storing and

communicating information, and includes recording devices, communication systems, computer systems (including hardware and software components and data), and other electronic devices. An entity’s use of IT may be extensive; however, the auditor is primarily interested in the entity’s use of IT to initiate, record, process, and report transactions or other financial data.

2 There may be one or more discussion(s) depending on the circumstances of the engagement. 3 See paragraph 36.


Page 8 of 43

understanding of the potential for material misstatement of the financial statements resulting from fraud or error in the specific areas of the audit assigned to them, and how the results of the audit procedures that they perform may affect other aspects of the audit including the decisions about audit procedures.

20. Professional judgment is used to determine which members of the audit team are

included in the discussion, how and when it occurs, and the extent of the discussion. In a multi-location audit, for example, there may be multiple discussions that involve the key members of the audit team in each significant location. Another factor to consider in planning the discussions is whether to include experts assigned to the audit team. For example, if the auditor has determined that a professional possessing IT or other special skills is needed on the audit team, it may be useful to include that individual in the discussion.

21. The discussion also emphasizes the need to maintain professional skepticism throughout

the engagement, to be alert for information or other conditions that indicate that a material misstatement due to fraud or error may have occurred, and to be rigorous in following up on such indications.

22. In addition, audit team members communicate and share information obtained

throughout the audit that may affect the assessment of the risks of material misstatement due to fraud or error or the audit procedures performed to address the risks.

SOURCES OF INFORMATION ABOUT THE ENTITY AND ITS ENVIRONMENT, INCLUDING ITS INTERNAL CONTROL 23. The auditor obtains information about the entity and its environment, including its

internal control, from sources within the entity and external to it. Examples of such sources are the entity’s financial statements; minutes of board of directors' meetings; internal management reports; controls manuals; the entity’s press releases and web site; reports prepared by analysts, banks, underwriters, or rating agencies; trade and economic journals; and inquiries of management and other entity personnel. For continuing engagements, the auditor’s previous experience with the entity contributes to the understanding.

24. If the auditor intends to use information about the entity and its environment

obtained in prior periods, the auditor should determine whether changes have occurred that may affect the relevance of such information in the current audit. For example, audit procedures performed in previous audits may provide audit evidence about the entity’s organizational structure, business and controls, as well as information about past misstatements in the financial statements and whether or not they were corrected on a timely basis, which assists the auditor in assessing risks of material misstatement. However, such information may have been rendered irrelevant by changes in the entity or its environment. The auditor makes inquiries and performs other appropriate audit procedures, such as walk-throughs of systems, to determine whether changes have occurred that may affect the relevance of such information.


Page 9 of 43

25. When relevant to the audit, the auditor also considers other information such as that obtained from the auditor’s client acceptance and retention process or, where practicable, experience gained on other engagements performed for the entity, for example, engagements to review interim financial information.

Understanding the Entity and Its Environment, Including Its Internal Control 26. Understanding the entity and its environment includes understanding:

(a) Industry, regulatory, and other external factors, including the applicable financial reporting framework;

(b) Nature of the entity, including the entity’s application of accounting policies;

(c) Objectives and strategies and the related business risks, including the entity’s risk assessment process;

(d) Measurement and review of the entity's financial performance; and

(e) Internal control. 27. Appendix 1 lists examples of matters that the auditor may consider in obtaining an

understanding of the entity and its environment relating to categories (a) through (d) above. Appendix 2 contains a detailed discussion of the internal control components.

INDUSTRY, REGULATORY AND OTHER EXTERNAL FACTORS, INCLUDING THE APPLICABLE FINANCIAL REPORTING FRAMEWORK 28. The auditor should obtain an understanding of relevant industry, regulatory, and

other external factors including the applicable financial reporting framework. These factors include industry conditions such as the competitive environment, supplier and customer relationships, and technological developments; the regulatory environment encompassing, among other matters, the applicable financial reporting framework, the legal and political environment, and environmental requirements affecting the industry and the entity; and other external factors such as general economic conditions. See ISA 250, “Consideration of Laws and Regulations in an Audit of Financial Statements,” for additional requirements related to the legal and regulatory framework applicable to the entity and the industry.

29. Obtaining an understanding of particular aspects of the entity’s industry, regulatory and

other external factors assists the auditor in identifying risks of material misstatement. For example, regulations may specify certain financial reporting requirements for the industry in which the entity operates. If management fails to comply with such regulations, its financial statements may be materially misstated in the context of the applicable financial reporting framework.

30. In most cases, the applicable financial reporting framework will be that of the

jurisdiction in which the entity is registered or operates and the auditor is based, and the auditor and the entity will have a common understanding of that framework. In some cases, however, there may be no local financial reporting framework, in which case the entity’s choice will be governed by local practice, industry practice, user needs, or other


Page 10 of 43

factors. For example, the entity’s competitors may apply International Financial Reporting Standards (IFRS) and the entity may determine that IFRS are also appropriate for its financial reporting requirements.

31. The industry in which the entity operates may give rise to specific risks arising from the

nature of the business or the degree of regulation. For example, long-term contracts may involve significant estimates of revenues and costs that give rise to risks of material misstatement of the financial statements. In such cases, the auditor considers whether the audit team includes members with sufficient relevant knowledge and experience.

NATURE OF THE ENTITY 32. The auditor should obtain an understanding of the nature of the entity. The nature of

an entity refers to the entity’s operations, its ownership, the types of investments that it is making and plans to make, the way that the entity is structured and how it is financed.

33. An understanding of the nature of an entity assists the auditor in identifying risks of

material misstatement and gives the auditor a better idea of what to expect in the financial statements. A complex structure may give rise to such risks. In addition to the difficulties of consolidation in such cases, other issues may arise including: the allocation of goodwill to business segments, and its impairment; whether investments are joint ventures, subsidiaries or equity investments; and whether special-purpose entities are accounted for appropriately. An understanding of the ownership and relations between owners and other people or entities is important in identifying related parties.

34. The auditor should obtain an understanding of the entity’s application of

accounting policies and consider whether the entity’s selection and application of accounting policies are appropriate for its business and consistent with the applicable financial reporting framework and accounting polices used in the relevant industry. The understanding encompasses the methods the entity uses to account for significant and unusual transactions and the effect of significant accounting policies in controversial or emerging areas for which there is a lack of authoritative guidance or consensus. Significant accounting policies include policies in areas such as revenue recognition, off-balance-sheet financing, and accounting for equity investments. The auditor also identifies financial reporting standards and regulations that are new to the entity and considers when and how the entity will adopt such requirements.

35. The presentation of financial statements in conformity with the applicable financial

reporting framework includes adequate disclosure of material matters. These matters relate to the form, arrangement, and content of the financial statements and their appended notes, including, for example, the terminology used, the amount of detail given, the classification of items in the statements, and the basis of amounts set forth. The auditor considers whether disclosure of a particular matter is required by the entity in light of the circumstances and facts of which the auditor is aware at the time.


Page 11 of 43

OBJECTIVES AND STRATEGIES AND RELATED BUSINESS RISKS 36. The auditor should obtain an understanding of the entity’s objectives and strategies,

and the related business risks that may result in material misstatement of the financial statements. The entity’s objectives are the overall plans for the entity as defined by those charged with governance and management. Strategies are the operational approaches by which management intends to achieve its objectives. Business risks result from significant conditions, events, circumstances or actions that could adversely affect the entity’s ability to achieve its objectives and execute its strategies.

37. The entity conducts its business in the context of industry, regulatory and other internal

and external factors. To respond to these factors it defines its objectives and adopts strategies to achieve them. Just as the external environment changes, the conduct of the business is also dynamic and the entity's strategies and objectives change over time.

38. Business risk is broader than the risk of material misstatement of the financial

statements, though it includes the latter. Business risk particularly may arise from change or complexity, though a failure to recognize the need for change may also give rise to risk. Change may arise, for example, from the development of new products that may fail; from an inadequate market, even if successfully developed; or from flaws that may result in liabilities and reputational risk. As an example of complexity, the conduct and management of long term engineering projects (such as ship construction or the building of a suspension bridge) give rise to risks in the areas of pricing, costing, design and performance control.

39. Most business risks will eventually have financial consequences and, therefore, an effect

on the financial statements. However, not all such risks may be risks of material misstatement. The auditor’s consideration of whether a business risk may result in material misstatement is, therefore, made in light of the entity’s circumstances. Examples of conditions and events that may indicate risks of material misstatement are given in Appendix 3.

40. The auditor benefits in a number of ways from a broad understanding of business risks.

These benefits include increasing the likelihood of identifying the risks of material misstatement of the financial statements and developing expectations for the purpose of performing analytical procedures. The auditor also recognizes that, because of the significance of some of the business risks, management will have established processes to review and control the risks. Where the risks may give rise to the potential for material misstatement of the financial statements, the auditor may find that such processes mitigate that potential.

41. The auditor should obtain an understanding of the entity's process for identifying

and responding to business risks and the results thereof. The process is described as the “risk assessment process” and forms the basis for how management determines the risks to be managed. The risk assessment process is one of the components of internal control (see paragraph 51). Appendix 2 contains a detailed discussion of the risk assessment process.


Page 12 of 43

42. The auditor’s understanding of the entity’s risk assessment process includes how management identifies risks, estimates the significance of the risks, assesses the likelihood of their occurrence, and decides upon actions to manage them. If the entity’s risk assessment process is appropriate to the circumstances, it assists the auditor in identifying risks of material misstatement and, consequently, the auditor’s emphasis on understanding the risk assessment process is on those business risks that may result in material misstatement of the financial statements.

43. The auditor inquires about business risks that management has identified and considers

whether they may result in material misstatement of the financial statements. During the audit, the auditor may identify risks of material misstatement that management failed to identify. In such cases, the auditor considers whether there was an underlying business risk of a kind that should have been identified by the entity’s risk assessment process, and if so, why that process failed to do so and whether the process is appropriate to its circumstances. If, as a result, the auditor judges that there is a material weakness in the entity’s risk assessment process, the auditor communicates this matter to those charged with governance as required by ISA 260, “Communications of Audit Matters with Those Charged with Governance,” and considers the implications for the auditor’s risk identification.

44. An entity's risk assessment differs from the auditor's consideration of audit risk in a

financial statement audit. The purpose of an entity's risk assessment is to identify, analyze, and manage risks that affect the entity’s objectives. In a financial statement audit, the auditor assesses risks to evaluate the likelihood that material misstatements could occur in the financial statements.

MEASUREMENT AND REVIEW OF THE ENTITY’S FINANCIAL PERFORMANCE 45. The auditor should obtain an understanding of the measurement and review of the

entity’s financial performance. Internally-generated information used by management for this purpose may include key performance indicators (financial and non-financial), budgets, variance analysis, segment information and divisional, departmental or other level performance reports, and comparisons of an entity’s performance with that of competitors. External parties may also measure and review the entity’s financial performance. For example, external information such as analysts’ reports and credit rating agency reports may provide information useful to the auditor’s understanding of the entity and its environment. Such reports often are obtained from the entity being audited.

46. Internal measures provide management with information about progress towards meeting

the entity’s objectives. Such measures may highlight unexpected results or trends requiring management’s inquiry of others. Such inquiry may result in management taking appropriate action to improve business performance or may indicate that there is a misstatement in the measures. A deviation in the performance measures may also indicate a risk of misstatement of related financial statement information. In such circumstances, the use of these measures may enable management to detect material misstatements and to correct them on a timely basis.


Page 13 of 43

47. Obtaining an understanding of the entity’s performance measures assists the auditor in

identifying risks of material misstatement. For example, performance measures may indicate that the entity has unusually rapid growth or profitability when compared to that of other entities in the same industry. Such information, particularly if combined with other factors such as performance-based bonus or incentive remuneration, may indicate the potential risk of management bias in the preparation of the financial statements.

48. Performance measures, whether external or internal, create pressures on management

that, in turn, may motivate management to misstate the financial statements. The auditor considers whether such pressures have created risks of material misstatement. See ISA 240, “The Auditor’s Responsibility to Consider Fraud and Error in an Audit of Financial Statements.”

49. In many entities, much of the information used in performance measurement may be

produced by the entity’s information system. If management assumes that data used for reviewing the entity’s performance are accurate without having a basis for that assumption, errors may exist in the information, potentially leading management to incorrect conclusions about performance. When the auditor intends to make use of the performance measures for the purpose of the audit (for example, for analytical procedures), the auditor considers whether the information related to management’s review of the entity’s performance provides a reliable basis and is sufficiently precise for such a purpose. If making use of performance measures, the auditor considers whether they are precise enough to detect material misstatements.

INTERNAL CONTROL 50. The auditor should perform risk assessment procedures to obtain an understanding

of the components of internal control. The auditor uses the understanding of internal control to identify types of potential misstatements, consider factors that affect the risks of material misstatement, and design the nature, timing, and extent of further audit procedures. The extent of the understanding is discussed below.

51. Internal control is designed and effected by those charged with governance, management,

and other personnel to provide reasonable assurance about the achievement of the entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations and compliance with applicable laws and regulations. Internal control, as discussed in this ISA, consists of the following components:

(a) The control environment;

(b) The entity’s risk assessment process;

(c) The information system and related business processes relevant to financial reporting and communication;

(d) Control procedures; and

(e) Monitoring of controls.


Page 14 of 43

The understanding required of the entity’s risk assessment process is discussed in paragraphs 41 through 44. The understanding required of the other components is discussed in paragraphs 68 through 94. In addition, paragraphs 104 and 110 discuss certain risks for which the auditor is required to evaluate the entity’s controls. Appendix 2 contains a detailed discussion of the internal control components.

52. The above components of internal control are applicable to the audit of every entity. The

extent of understanding of the components is considered in the context of—

• The auditor’s judgment about materiality.

• The entity's size.

• The entity's organization and ownership characteristics.

• The nature of the entity's business.

• The diversity and complexity of the entity's operations.

• Applicable legal and regulatory requirements.

• The nature and complexity of the systems that are part of the entity's internal control, including the use of service organizations.

53. Obtaining an understanding of internal control involves evaluating the design of a control

and determining whether it has been implemented. Evaluating the design of a control involves considering whether the control is capable of effectively preventing, or detecting and correcting, material misstatements. Implementation of a control means that the control exists and that the entity is using it. Obtaining audit evidence about the design and implementation of relevant controls may involve inquiring of entity personnel, observing the application of specific controls, inspecting documents and reports, and tracing transactions through the information system relevant to financial reporting. Ordinarily, only inquiring of entity personnel will not be sufficient to evaluate the design of a control or to determine whether a control has been implemented.

54. Obtaining an understanding of an entity’s controls is not likely to be sufficient to serve as

testing the operating effectiveness of controls. Tests of the operating effectiveness of controls are described in ISA XX, “The Auditor’s Procedures in Response to Assessed Risks.”

55. The division of internal control into the five components provides a useful framework for

auditors to consider how different aspects of an entity’s internal control may affect the audit. However, it does not necessarily reflect how an entity considers and implements internal control. Also, the auditor's primary consideration is whether, and how, a specific control prevents, or detects and corrects, material misstatements in classes of transactions, account balances or disclosures and related assertions rather than its classification into any particular component. Accordingly, auditors may use different terminology or conceptual frameworks to describe the various aspects of internal control, and their effect on the audit than those used in this ISA, provided all the requirements of this ISA are met. For the purposes of this ISA, the term “internal control” encompasses


Page 15 of 43

all five components of internal control stated above. In addition, the term “controls” refers to one or more of the components, or any aspect thereof.

Controls Relevant to the Audit 56. There is a direct relationship between an entity’s objectives and the controls it

implements to provide reasonable assurance about their achievement. Although the entity's objectives, and therefore controls, relate to financial reporting, operations and compliance as referred to in paragraph 51, not all of these objectives and controls are relevant to the audit of the entity's financial statements. Further, although internal control applies to the entire entity or to any of its operating units or business processes, an understanding of internal control relating to each of the entity's operating units and business processes may not be relevant to the audit.

57. Ordinarily, controls that are relevant to an audit pertain to the entity's objective of

preparing financial statements for external purposes that give a true and fair view (or are presented fairly, in all material respects) in accordance with the applicable financial reporting framework and the management of risk that may give rise to a risk of material misstatement in those financial statements. Controls relevant to the audit are those that individually or in combination with others are likely to prevent, or detect and correct, material misstatements of the financial statements. Such controls may exist in any of the components of internal control.

58. Controls relating to operations and compliance objectives may be relevant to an audit if

they pertain to data the auditor evaluates or uses in applying audit procedures. For example, controls pertaining to non-financial data that the auditor uses in analytical procedures, such as production statistics, or controls pertaining to detecting non-compliance with laws and regulations that may have a direct and material effect on the financial statements, such as controls over compliance with income tax laws and regulations used to determine the income tax provision, may be relevant to an audit.

59. An entity generally has controls relating to objectives that are not relevant to an audit and

therefore need not be considered. For example, an entity may rely on a sophisticated system of IT controls to provide efficient and effective operations (such as a commercial airline's system of IT controls to maintain flight schedules), but these controls ordinarily would not be relevant to the financial statement audit.

60. Internal control over safeguarding of assets against unauthorized acquisition, use, or

disposition may include controls relating to financial reporting and operations objectives. In obtaining an understanding of each of the components of internal control, the auditor's consideration of safeguarding controls is generally limited to those relevant to the reliability of financial reporting. For example, use of access controls, such as passwords, that limit access to the data and programs that process cash disbursements may be relevant to a financial statement audit. Conversely, controls to prevent the excessive use of materials in production generally are not relevant to a financial statement audit.


Page 16 of 43

Effect of Information Technology on Internal Control 61. An entity’s use of IT may affect any of the five components of internal control relevant to

the achievement of the entity’s financial reporting, operations, or compliance objectives, and its operating units or business processes. For example, an entity may use IT as part of discrete systems that support only particular business units, processes, or activities, such as a unique accounts receivable system for a particular business unit or a system that controls the operation of factory equipment. Alternatively, an entity may have complex, highly integrated systems that share data and that are used to support all aspects of the entity’s financial reporting, operations, and compliance objectives.

62. The use of IT also affects the manner in which transactions are initiated, recorded,

processed, and reported4. In a manual system, an entity uses manual procedures and records in paper format (for example, individuals may manually record sales orders on paper forms or journals, authorize credit, prepare shipping reports and invoices, and maintain accounts receivable records). Controls in such a system also are manual and may include such procedures as approvals and reviews of activities, and reconciliations and follow-up of reconciling items. Alternatively, an entity may have information systems that use automated procedures to initiate, record, process, and report transactions, in which case records in electronic format replace such paper documents as purchase orders, invoices, shipping documents, and related accounting records. Controls in systems that use IT consist of a combination of automated controls (for example, controls embedded in computer programs) and manual controls. Further, manual controls may be independent of IT, may use information produced by IT, or may be limited to monitoring the effective functioning of IT and of automated controls, and to handling exceptions. An entity’s mix of manual and automated controls varies with the nature and complexity of the entity’s use of IT.

63. IT provides potential benefits of effectiveness and efficiency for an entity’s internal

control because it enables an entity to:

• Consistently apply predefined business rules and perform complex calculations in processing large volumes of transactions or data.

• Enhance the timeliness, availability, and accuracy of information.

• Facilitate the additional analysis of information.

• Enhance the ability to monitor the performance of the entity’s activities and its policies and procedures.

• Reduce the risk that controls will be circumvented.

• Enhance the ability to achieve effective segregation of duties by implementing security controls in applications, databases, and operating systems.

4 Paragraph 9 of Appendix 2 defines initiation, recording, processing, and reporting as used throughout this

ISA.


Page 17 of 43

64. IT also poses specific risks to an entity’s internal control, including:

• Reliance on systems or programs that are inaccurately processing data, processing inaccurate data, or both.

• Unauthorized access to data that may result in destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions or inaccurate recording of transactions.

• Unauthorized changes to data in master files.

• Unauthorized changes to systems or programs.

• Failure to make necessary changes to systems or programs.

• Inappropriate manual intervention.

• Potential loss of data or inability to access data as required. 65. The extent and nature of these risks to internal control vary depending on the nature and

characteristics of the entity’s information system. For example, multiple users, either external or internal, may access a common database of information that affects financial reporting. In such circumstances, a lack of control at a single user entry point might compromise the security of the entire database, potentially resulting in improper changes to or destruction of data. When IT personnel or users are given, or can gain, access privileges beyond those necessary to perform their assigned duties, a breakdown in segregation of duties can occur. This could result in unauthorized transactions or changes to programs or data that affect the financial statements. Therefore, the nature and characteristics of an entity’s use of IT in its information system affect the entity’s internal control.

Limitations of Internal Control 66. Internal control, no matter how well designed and operated, can provide an entity only

reasonable assurance about achieving the entity's objectives. The likelihood of achievement is affected by limitations inherent to internal control. These include the realities that human judgment in decision-making can be faulty and that breakdowns in internal control can occur because of human failures, such as simple errors or mistakes. For example, errors may occur in designing, maintaining, or monitoring IT controls. If an entity’s IT personnel do not completely understand how an order entry system processes sales transactions, they may erroneously design changes to the system to process sales for a new line of products. On the other hand, such changes may be correctly designed but misunderstood by individuals who translate the design into program code. Errors also may occur in the use of information produced by IT. For example IT controls may be designed to report transactions over a specified amount for management review, but individuals responsible for conducting the review may not understand the purpose of such reports and, accordingly, may fail to review them or investigate unusual items.

67. Additionally, controls can be circumvented by the collusion of two or more people or

inappropriate management override of internal control. For example, management may enter into side agreements with customers that alter the terms and conditions of the


Page 18 of 43

entity’s standard sales contract in ways that would preclude revenue recognition. Also, edit routines in a software program that are designed to identify and report transactions that exceed specified credit limits may be overridden or disabled.

Control Environment 68. The auditor should obtain an understanding of the control environment. The control

environment includes the attitudes, awareness, and actions of management and those charged with governance concerning the entity’s internal control and its importance in the entity. The control environment also includes the governance and management functions and sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for effective internal control, providing discipline and structure.

69. The primary responsibility for the prevention and detection of fraud and error rests with

both those charged with governance and the management of an entity. Management, with the oversight of those charged with governance, should set the proper tone, create and maintain a culture of honesty and ethical behavior, and establish appropriate controls to prevent and detect fraud and error within the entity.

70. Control environment elements include the following:

(a) Communication and enforcement of integrity and ethical values—essential elements which influence the effectiveness of the design, administration and monitoring of controls;

(b) Commitment to competence—management’s consideration of the competence levels for particular jobs and how those levels translate into requisite skills and knowledge;

(c) Participation by those charged with governance—independence from management, their experience and stature, the extent of their involvement and scrutiny of activities, the information they receive, the degree to which difficult questions are raised and pursued with management and their interaction with internal and external auditors;

(d) Management's philosophy and operating style—management’s approach to taking and managing business risks, and management’s attitudes and actions toward financial reporting, information processing and accounting functions and personnel;

(e) Organizational structure—the framework within which an entity’s activities for achieving its objectives are planned, executed, controlled and reviewed;

(f) Assignment of authority and responsibility—how authority and responsibility for operating activities are assigned and how reporting relationships and authorization hierarchies are established; and

(g) Human resource policies and practices—recruitment, orientation, training, evaluating, counseling, promoting, compensating and remedial actions.


Page 19 of 43

71. In particular for listed entities, the responsibilities of those charged with governance are of considerable importance. This is recognized in codes of practice and other regulations or guidance produced for the benefit of those charged with governance. The basis for management remuneration, especially executive performance-related compensation, and the pressures of the stock markets place stresses on management arising from the conflicting demands of fair reporting and the perceived benefits to shareholders of improved results. It is one, but not the only, role of those charged with governance to counterbalance such pressures. In understanding the control environment, the auditor considers such matters as the independence of the directors and their ability to evaluate the actions of management. The auditor also considers whether there is an audit committee that understands the entity’s business transactions and evaluates whether the financial statements give a true and fair view (or are presented fairly, in all material respects) in accordance with the applicable financial reporting framework.

72. In understanding the control environment, the auditor obtains audit evidence about its

implementation. For example, through inquiries of management and employees, the auditor may obtain an understanding of how management communicates to employees its views on business practices and ethical behavior, and how management demonstrates behavior consistent with these views. The auditor considers whether management may have established a formal code of conduct but nevertheless acts in a manner that condones violations of that code or authorizes exceptions to it.

73. When obtaining an understanding of the control environment, the auditor considers the

collective effect on the control environment of strengths and weaknesses in various control environment elements. Management's strengths and weaknesses may have a pervasive effect on internal control. For example, owner-manager controls may mitigate a lack of segregation of duties in a small business, or an active and independent board of directors may influence the philosophy and operating style of senior management in larger entities. Alternatively, management’s failure to commit sufficient resources to address security risks presented by IT may adversely affect internal control by allowing improper changes to be made to computer programs or to data, or by allowing unauthorized transactions to be processed. Similarly, human resource policies and practices directed toward hiring competent financial, accounting, and IT personnel may not mitigate a strong bias by top management to overstate earnings.

74. Obtaining an understanding of the elements of the control environment assists the auditor

in identifying risks of material misstatement. The existence of a satisfactory control environment can be a positive factor when the auditor assesses the risks of material misstatement of the financial statements. In particular, it may help reduce the risk of fraud, although a satisfactory control environment is not an absolute deterrent to fraud. Conversely, weaknesses in the control environment may undermine the effectiveness of controls and therefore be negative factors in the auditor’s assessment of the risks of material misstatement, in particular in relation to fraud.

75. The control environment in itself is not likely to be specific enough to prevent, or detect

and correct, a material misstatement in classes of transactions, account balances and disclosures and related assertions. The auditor, therefore, ordinarily considers the effect


Page 20 of 43

of other components along with the control environment when assessing the risks of material misstatement; for example, the monitoring of controls and the operation of specific control procedures.

Information System and Related Business Processes Relevant to Financial Reporting and Communication 76. The information system relevant to financial reporting objectives, which includes the

accounting system, consists of the procedures and records established to initiate, record, process, and report entity transactions (as well as events and conditions) and to maintain accountability for the related assets, liabilities, and equity. The quality of system-generated information affects management's ability to make appropriate decisions in controlling the entity's activities and to prepare reliable financial reports.

77. The auditor should obtain an understanding of the information system and related

business processes relevant to financial reporting in the following areas:

• The classes of transactions in the entity's operations that are significant to the financial statements.

• The procedures, within both IT and other systems, by which those transactions are initiated, recorded, processed and reported from their occurrence to their inclusion in the financial statements.

• The related accounting records, whether electronic or manual, supporting information, and specific accounts in the financial statements, in respect of initiating, recording, processing and reporting transactions.

• How the information system captures events and conditions, other than transactions, that are significant to the financial statements.

• The financial reporting process used to prepare the entity's financial statements, including significant accounting estimates and disclosures.

78. When IT is used to initiate, record, process or report transactions, or other financial data

for inclusion in financial statements, the systems and programs may include controls related to the corresponding assertions for significant accounts or may be critical to the effective functioning of manual controls that depend on IT.

79. The auditor also understands how the incorrect processing of transactions is resolved, for

example, whether there is an automated suspense file and how it is used by the entity to ensure that suspense items are cleared out on a timely basis, and how system overrides or bypasses to controls are processed and accounted for.

80. In obtaining an understanding of the financial reporting process, the auditor should

obtain an understanding of the IT and other procedures an entity uses to prepare financial statements and related disclosures, and how misstatements may occur. Such IT and other procedures include those used to:


Page 21 of 43

• Enter transaction totals into the general ledger (or equivalent records). In some information systems, IT may be used to transfer such information automatically from transaction processing systems to general ledger or financial reporting systems. The automated processes and controls in such systems may reduce the risk of inadvertent error but do not overcome the risk that individuals may inappropriately override such automated processes, for example, by changing the amounts being automatically passed to the general ledger or financial reporting system. Furthermore, in planning the audit, the auditor maintains an awareness that when IT is used to transfer information automatically, there may be little or no visible evidence of such intervention in the information systems.

• Initiate, record, and process journal entries in the general ledger. An entity’s financial reporting process used to prepare the financial statements typically includes the use of standard journal entries that are required on a recurring basis to record transactions such as sales, purchases, and cash disbursements, or to record accounting estimates that are periodically made by management such as changes in the estimate of uncollectible accounts receivable. An entity’s financial reporting process also includes the use of non-standard journal entries to record nonrecurring or unusual transactions or adjustments such as a business combination or disposal, or a nonrecurring estimate such as an asset impairment. In manual, paper-based general ledger systems, such journal entries may be identified through inspection of ledgers, journals, and supporting documentation. However, when IT is used to maintain the general ledger and prepare financial statements, such entries may exist only in electronic form and may be more easily identified through the use of computer-assisted audit techniques.

• Initiate and record recurring and nonrecurring adjustments to the financial statements. These are procedures that are not reflected in formal journal entries, such as consolidating adjustments, report combinations, and reclassifications.

81. The auditor obtains an understanding of the entity’s information system relevant to

financial reporting in a manner that is appropriate to the entity’s circumstances. This includes obtaining an understanding of how transactions are generated within the entity’s business processes. An entity’s business processes are the activities designed to develop, purchase, produce, sell and distribute an entity’s products and services; ensure compliance with laws and regulations; and record information, including accounting and financial reporting information.

82. The auditor should understand how the entity communicates financial reporting

roles and responsibilities and significant matters relating to financial reporting. Communication involves providing an understanding of individual roles and responsibilities pertaining to internal control over financial reporting. It includes the extent to which personnel understand how their activities in the financial reporting information system relate to the work of others and the means of reporting exceptions to an appropriate higher level within the entity. Open communication channels help ensure that exceptions are reported and acted on. The auditor’s understanding of communication pertaining to financial reporting matters also includes communications between


Page 22 of 43

management and those charged with governance, particularly the audit committee, as well as external communications such as those with regulatory authorities.

Control Procedures 83. The auditor should obtain an understanding of those control procedures relevant to

the audit. Control procedures are the policies and procedures that help ensure that management directives are carried out; for example, that necessary actions are taken to address risks that threaten the achievement of the entity's objectives. Control procedures, whether within IT or manual systems, have various objectives and are applied at various organizational and functional levels. Examples of specific control procedures include the following:

Performance reviews

• Comparing and analyzing the financial results with budgeted amounts.

• Comparing internal data with external sources of information.

Information processing

• Checking the arithmetical accuracy of the records.

• Maintaining and reviewing accounts and trial balances.

• Controlling applications and the IT environment, for example, by establishing controls over:

o Changes to computer programs.

o Access to data files.

Physical controls

• Comparing the results of cash, security and inventory counts with accounting records.

• Limiting direct physical access to assets and records.

Segregation of duties

• Reporting, reviewing and approving reconciliations.

• Approval and control of documents. 84. The auditor considers the knowledge about the presence or absence of control procedures

obtained from the understanding of the other components of internal control in determining whether it is necessary to devote additional attention to obtaining an understanding of control procedures. An audit does not require an understanding of the control procedures related to each class of transactions, account balance and disclosure in the financial statements or to every assertion relevant to them. Ordinarily, control procedures that may be relevant to an audit include those relating to authorization, segregation of duties, safeguarding of assets, and asset accountability, including, for example, reconciliations of the general ledger to the detailed records. Ordinarily the


Page 23 of 43

auditor obtains an understanding of the process of reconciling detail to the general ledger for significant accounts. Also, control procedures are relevant to the audit if the auditor is required to evaluate them as discussed in paragraphs 104 and 110.

85. The auditor should obtain an understanding of how IT affects control procedures

that are relevant to the audit. Some entities and auditors may view the IT control procedures in terms of application controls and general controls. Application controls apply to the processing performed by individual applications. Accordingly, application controls relate to the use of IT to initiate, record, process and report transactions or other financial data. These controls help ensure that transactions occurred, are authorized, and are completely and accurately recorded and processed. Examples include edit checks of input data, numerical sequence checks, and manual follow-up of exception reports.

86. General controls are policies and procedures that relate to many applications and support

the effective functioning of application controls by helping to ensure the continued proper operation of information systems. General controls commonly include controls over data center and network operations; system software acquisition, change and maintenance; access security; and application system acquisition, development, and maintenance.

87. The use of IT affects the way that control procedures are implemented. For example,

when IT is used in an information system, segregation of duties often is achieved by implementing security controls.

88. The auditor considers whether the entity has responded adequately to the risks arising

from IT by establishing effective controls. From the auditor’s perspective, controls over IT systems are effective when they maintain the integrity of information and the security of the data such systems process.

89. IT enables an entity consistently to process large volumes of data and enhances the

entity’s ability to monitor the performance of activities and to achieve effective segregation of duties by implementing security controls in applications, databases, and operating systems. Obtaining evidence about the implementation of a manually operated control may not provide much evidence about the operating effectiveness of the control at relevant times during the period under audit. Because of the inherent consistency of IT processing, however, performing audit procedures to determine whether an IT control has been implemented may serve as a test of that control’s operating effectiveness, depending on the auditor’s assessment and testing of such factors as whether the program has been changed or whether there is a significant risk of unauthorized change or other improper intervention.

Monitoring of Controls 90. The auditor should obtain an understanding of the major types of activities that the

entity uses to monitor internal control over financial reporting, including the sources of the information related to those activities, and how those activities are used to initiate corrective actions to its controls.


Page 24 of 43

91. An important management responsibility is to establish and maintain internal control on

an ongoing basis. Management’s monitoring of controls includes whether they are operating as intended and that they are modified as appropriate for changes in conditions. Monitoring of controls may include activities such as management’s review of whether bank reconciliations are being prepared on a timely basis, internal auditors’ evaluation of sales personnel’s compliance with the entity’s policies on terms of sales contracts, and legal departments’ oversight of compliance with the entity’s ethical or business practice policies.

92. Monitoring of controls is a process to assess the quality of internal control performance

over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions. Monitoring is done to ensure that controls continue to operate effectively. For example, if the timeliness and accuracy of bank reconciliations are not monitored, personnel are likely to stop preparing them. Management accomplishes monitoring of controls through ongoing activities, separate evaluations, or a combination of the two. In many entities, internal auditors or personnel performing similar functions contribute to the monitoring of an entity's activities. See ISA 610, “Considering the Work of Internal Auditing” for additional guidance. Management’s monitoring activities may include using information from communications from external parties such as customer complaints and regulator comments that may indicate problems or highlight areas in need of improvement.

93. In many entities, much of the information used in monitoring may be produced by the

entity’s information system. If management assumes that data used for monitoring are accurate without having a basis for that assumption, errors may exist in the information, potentially leading management to incorrect conclusions from its monitoring activities. The auditor obtains an understanding of the sources of the information related to the entity’s monitoring activities, and the basis upon which management considers the information to be sufficiently reliable for the purpose.

94. The auditor’s understanding of management’s monitoring of controls may assist the

auditor in identifying the existence of more detailed controls or other activities which the auditor may consider in making risk assessments.

Assessing the Risks of Material Misstatement 95. The auditor should assess the risks of material misstatement at the financial

statement level, and at the assertion level for classes of transactions, account balances and disclosures. To assess the risks, the auditor:

• Identifies risks by considering the entity and its environment, including relevant controls that relate to the risks, and by considering the classes of transactions, account balances and disclosures in the financial statements.

• Relates the identified risks to what can go wrong at the assertion level.

• Considers whether the risks are of a magnitude that could result in a material misstatement of the financial statements.


Page 25 of 43

• Considers the likelihood that the risks will result in a material misstatement of the financial statements.

96. The auditor uses information gathered by performing risk assessment procedures to

obtain an understanding of the entity and its environment, including the audit evidence obtained in evaluating the design of controls and determining whether they have been implemented, as audit evidence to support the risk assessment. The auditor uses the risk assessment to determine the nature, timing and extent of further audit procedures to be performed.

97. The auditor determines whether the identified risks of material misstatement relate to

specific classes of transactions, account balances and disclosures and related assertions, or whether they relate more pervasively to the financial statements as a whole and potentially affect many assertions. The latter risks (risks at the financial statement level) may derive in particular from an inadequate control environment.

98. The nature of the risks arising from a weak control environment is such that they are not

likely to be related to specific individual risks of material misstatement in particular classes of transactions, account balances and disclosures. Rather, weaknesses such as lack of management integrity and competence may have a more pervasive effect on the financial statements and may require an overall response by the auditor.

99. In making risk assessments, the auditor may identify the controls that are likely to

prevent, or detect and correct, material misstatement in specific assertions. Generally, the auditor gains an understanding of controls and relates them to assertions in the context of processes and systems in which they exist. Doing so is useful because individual control procedures often do not in themselves address a risk. Often only multiple control procedures, together with other elements of internal control, will be sufficient to address a risk.

100. Conversely, some control procedures may have a specific effect on an individual

assertion embodied in a particular class of transaction or account balance. For example, the control procedures that an entity established to ensure that its personnel are properly counting and recording the annual physical inventory relate directly to the existence assertion for the inventory account balance.

101. Controls can be either directly or indirectly related to an assertion. The more indirect the

relationship, the less effective that control may be in preventing, or detecting and correcting, misstatements in that assertion. For example, a sales manager's review of a summary of sales activity for specific stores by region ordinarily is indirectly related to the completeness assertion for sales revenue. Accordingly, it may be less effective in reducing risk for that assertion than controls more directly related to that assertion, such as matching shipping documents with billing documents.

102. General controls relate to many applications and support the effective functioning of

application controls by helping to ensure the continued proper operation of information


Page 26 of 43

systems. The auditor considers identifying not only application controls directly related to one or more assertions, but also relevant general controls.

103. The auditor's understanding of internal control may raise doubts about the auditability of

an entity's financial statements. Concerns about the integrity of the entity's management may be so serious as to cause the auditor to conclude that the risk of management misrepresentation in the financial statements is such that an audit cannot be conducted. Also, concerns about the condition and reliability of an entity's records may cause the auditor to conclude that it is unlikely that sufficient appropriate audit evidence will be available to support an unqualified opinion on the financial statements. In such circumstances, the auditor considers a qualification or disclaimer of opinion, but in some cases the auditor’s only recourse may be to withdraw from the engagement.

SIGNIFICANT RISKS THAT REQUIRE SPECIAL AUDIT CONSIDERATION 104. As part of the risk assessment as described in paragraph 95, the auditor should

determine which of the risks identified are, in the auditor’s judgment, significant risks that require special audit consideration. For significant risks, to the extent the auditor has not already done so, the auditor should evaluate the design of the entity’s controls, including relevant control procedures, and determine whether they have been implemented. The consequences for further audit procedures of identifying a risk as significant are described in paragraphs 40 and 44 of ISA XX, “The Auditor’s Procedures in Response to Assessed Risks.”

105. Significant risks arise on most audits, but their determination is a matter for the auditor’s

professional judgment. The determination of these risks excludes the auditor’s consideration of internal control (that is, they are inherent risks). In exercising this judgment the auditor considers a number of matters, including the matters below:

• Whether the risk is a risk of fraud.

• The likelihood of the occurrence of the risk.

• The likely magnitude of the potential misstatement and the possibility that the risk may give rise to multiple misstatements.

• Whether the risk is related to recent significant economic, accounting or other developments and, therefore, requires specific attention.

• The complexity of transactions that may give rise to the risk.

• Whether the risk involves significant transactions with related parties.

• The degree of subjectivity in the measurement of financial information related to the risk.

• Whether the risk involves significant transactions that are outside the normal course of business for the entity, or that otherwise appear to be unusual given the auditor’s understanding of the entity and its environment.


Page 27 of 43

106. Significant risks are often significant business risks that may result in material misstatement of the financial statements. Management ought to be aware of such risks, and ordinarily will have responded by implementing controls over such risks.

107. Significant risks often relate to significant non-routine transactions and judgmental

matters. Non-routine transactions are transactions that are unusual, either due to size or nature, and that therefore occur infrequently. Judgmental matters may include the development of significant accounting estimates. There may be a greater risk of material misstatement associated with such risks and less likelihood of their being subject to routine control systems, and so a more in-depth understanding of whether and how the entity responds to the risk is required to provide the auditor with adequate information to develop an effective audit approach.

108. Risks of material misstatement may be greater for risks relating to significant non-routine

transactions arising from matters such as:

• Greater management intervention to specify the accounting treatment.

• Greater manual intervention for data collection and processing.

• Complex calculations or accounting principles.

• The nature of non-routine transactions, which may make it difficult for the entity to implement effective controls over the risks.

• Significant related party transactions. 109. Risks of material misstatement may be greater for risks relating to significant judgmental

matters that require the development of accounting estimates, arising from matters such as:

• Accounting principles for accounting estimates or revenue recognition may be subject to differing interpretation.

• Required judgment may be subjective, complex or require assumptions about the effects of future events, for example, judgment about fair value.

RISKS FOR WHICH SUBSTANTIVE PROCEDURES ALONE DO NOT PROVIDE SUFFICIENT APPROPRIATE AUDIT EVIDENCE 110. As part of the risk assessment as described in paragraph 95, the auditor should

evaluate the design and determine the implementation of the entity’s controls, including relevant control procedures, over those risks for which, in the auditor’s judgment, it is not possible or practicable to reduce the risks of material misstatement at the assertion level to an acceptably low level with audit evidence obtained only from substantive procedures. The consequences for further audit procedures of identifying such risks are described in paragraph 23 of ISA XX, “The Auditor’s Procedures in Response to Assessed Risks.”

111. The understanding of the entity’s information system relevant to financial reporting

enables the auditor to identify risks of material misstatement that relate directly to the recording of routine classes of transactions or account balances and the preparation of


Page 28 of 43

reliable financial statements; these include risks of inaccurate or incomplete processing. Ordinarily, such risks relate to significant classes of transactions such as an entity’s revenue, purchases, and cash receipts or cash payments.

112. The characteristics of routine day-to-day business transactions often permit highly

automated processing with little or no manual intervention. In such circumstances, it may not be possible to perform only substantive procedures in relation to the risk. For example, in circumstances where a significant amount of an entity’s information is initiated, recorded, processed, or reported electronically such as in an integrated system, the auditor may determine that it is not possible to design effective substantive procedures that by themselves would provide sufficient appropriate audit evidence that relevant classes of transactions or account balances are not materially misstated. In such cases, audit evidence may be available only in electronic form, and its sufficiency and appropriateness usually depend on the effectiveness of controls over its accuracy and completeness. Furthermore, the potential for improper initiation or alteration of information to occur and not be detected may be greater if information is initiated, recorded, processed or reported only in electronic form and appropriate controls are not operating effectively.

113. Examples of situations where the auditor may find it impossible to design effective

substantive tests that by themselves provide sufficient appropriate audit evidence that certain assertions are not materially misstated include the following:

• An entity that conducts its business using IT to initiate orders for the purchase and delivery of goods based on predetermined rules of what to order and in what quantities and to pay the related accounts payable based on system-generated decisions initiated upon the confirmed receipt of goods and terms of payment. No other documentation of orders placed or goods received is produced or maintained, other than through the IT system.

• An entity that provides services to customers via electronic media (for example, an Internet service provider or a telecommunications company) and uses IT to create a log of the services provided to its customers, initiate and process its billings for the services and automatically record such amounts in electronic accounting records that are part of the system used to produce the entity’s financial statements.

REVISION OF RISK ASSESSMENT 114. The auditor’s assessment of the risks of material misstatement at the assertion level is

based on available audit evidence and may change during the course of the audit as additional audit evidence is obtained. In particular, the risk assessment may be based on an expectation that controls are operating effectively to prevent, or detect and correct, a material misstatement at the assertion level. In performing tests of controls to obtain audit evidence about their operating effectiveness, the auditor may obtain audit evidence that controls are not operating effectively at relevant times during the audit. Similarly, in performing substantive procedures the auditor may detect misstatements in amounts or frequency greater than is consistent with the auditor’s risk assessments. In circumstances where the auditor obtains audit evidence from performing further audit procedures that tends to contradict the audit evidence on which the auditor originally based the


Page 29 of 43

assessment, the auditor revises the assessment and modifies the further planned audit procedures accordingly.

Communicating with Those Charged with Governance or Management 115. The auditor should make those charged with governance or management aware, as

soon as practicable, and at an appropriate level of responsibility, of material weaknesses in the design or implementation of internal control which have come to the auditor’s attention.

116. If the auditor identifies risks of material misstatement of the financial statements which

the entity has either not controlled, or for which the relevant control is inadequate, or if in the auditor’s judgment there is a material weakness in the entity’s risk assessment process, then the auditor includes such internal control deficiencies in the communication of audit matters of governance interest. See ISA 260, “Communications of Audit Matters with Those Charged with Governance.”

Documentation 117. The auditor should document:

(a) The discussion among the audit team regarding the susceptibility of the entity’s financial statements to material misstatement due to error or fraud, including how and when the discussion occurred, the audit team members who participated, and the subject matter discussed;

(b) The understanding obtained regarding each of the aspects of the entity and its environment identified in paragraph 26, including each of the internal control components identified in paragraph 51, to assess the risks of material misstatement of the financial statements; the sources of information from which the understanding was obtained; and the risk assessment procedures.

(c) The controls evaluated as a result of the requirements in paragraphs 104 and 110; and

(d) The results of the risk assessment both at the financial statement level and at the assertion level.

118. The documentation of the discussion among the audit team includes the decisions

relevant to the audit procedures. 119. The manner in which these matters are documented is for the auditor to determine using

professional judgment. Examples of common techniques, used alone or in combination include narrative descriptions, questionnaires, check lists and flow charts. The form and extent of this documentation is influenced by the nature, size and complexity of the entity and its internal control. For example, documentation of the understanding of a complex information system in which a large volume of transactions are electronically initiated, recorded, processed, or reported may include flowcharts, questionnaires, or decision tables. For an information system making limited or no use of IT or for which few transactions are processed (for example, long-term debt), documentation in the form of a


Page 30 of 43

memorandum may be sufficient. Ordinarily, the more complex the entity and its environment including its internal control, and the more extensive the audit procedures performed by the auditor, the more extensive the auditor's documentation will be. The specific audit methodology and technology used in the course of the audit also affects the form and extent of documentation.

Effective Date 120. This ISA is effective for audits of financial statements for periods beginning on or after

XXXX.


Page 31 of 43

Appendix 1: Understanding the Entity and Its Environment This appendix provides additional guidance on matters the auditor may consider when obtaining an understanding of the industry, regulatory, and other external factors that affect the entity, including the applicable financial reporting framework; the nature of the entity; objectives and strategies and related business risks; and measurement and review of the entity’s financial performance. The examples provided cover a broad range of matters applicable to many engagements; however, not all matters are relevant to every engagement and the list of examples is not necessarily complete. Additional guidance on internal control is contained in Appendix 2.

INDUSTRY, REGULATORY AND OTHER EXTERNAL FACTORS, INCLUDING THE APPLICABLE FINANCIAL REPORTING FRAMEWORK. Examples of matters an auditor may consider include the following:

• Industry conditions o The market and competition, including demand, capacity, and price competition o Cyclical or seasonal activity o Product technology relating to the entity’s products o Energy supply and cost

• Regulatory environment o Accounting principles and industry specific practices o Regulatory framework for a regulated industry o Legislation and regulation that significantly affect the entity’s operations

– regulatory requirements

– direct supervisory activities

o Taxation (corporate and other) o Government policies currently affecting the conduct of the entity’s business

– monetary, including foreign exchange controls

– fiscal

– financial incentives (for example, government aid programs)

– tariffs, trade restrictions

o Environmental requirements affecting the industry and the entity’s business

• Other external factors currently affecting the entity’s business o General level of economic activity (for example, recession, growth) o Interest rates and availability of financing


Page 32 of 43

o Inflation, currency revaluation

NATURE OF THE ENTITY Examples of matters an auditor may consider include the following:

Business Operations:

• Nature of revenue sources (for example, manufacturer, wholesaler, banking, insurance or other financial services, import/export trading, utility, transportation and technology products and services)

• Products or services and markets (for example, major customers and contracts, terms of payment, profit margins, market share, competitors, exports, pricing policies, reputation of products, warranties, order book, trends, marketing strategy and objectives, manufacturing processes)

• Conduct of operations (for example, stages and methods of production, business segments, delivery or products and services, details of declining or expanding operations)

• Alliances, joint ventures, and outsourcing activities

• Involvement in E-commerce, including Internet sales and marketing activities

• Geographic dispersion and industry segmentation

• Location of production facilities, warehouses, and offices

• Key customers

• Important suppliers of goods and services (for example, long-term contracts, stability of supply, terms of payment, imports, methods of delivery such as “just-in-time”)

• Employment (for example, by location, supply, wage levels, union contracts, pension and other post employment benefits, stock option or incentive bonus arrangements, and government regulation related to employment matters)

• Research and development activities and expenditures

• Transactions with related parties

Investments:

• Acquisitions, mergers or disposals of business activities (planned or recently executed)

• Investments and dispositions of securities and loans

• Capital investment activities, including investments in plant and equipment and technology, and any recent or planned changes

• Investments in non-consolidated entities, including partnerships, joint ventures and special-purpose entities


Page 33 of 43

Financing:

• Group structure – major subsidiaries and associated entities, including consolidated and non-consolidated structures

• Debt structure, including covenants, restrictions, guarantees, and off-balance-sheet financing arrangements

• Leasing of property, plant or equipment for use in the business

• Beneficial owners (local, foreign, business reputation and experience)

• Related parties

• Use of derivative financial instruments

Financial Reporting:

• Accounting principles and industry specific practices

• Revenue recognition practices

• Accounting for fair values

• Inventories (for example, locations, quantities)

• Foreign currency assets, liabilities and transactions

• Industry-specific significant categories (for example, loans and investments for banks, accounts receivable and inventory for manufacturers, research and development for pharmaceuticals)

• Accounting for unusual or complex transactions including those in controversial or emerging areas (for example, accounting for stock-based compensation)

• Financial statement presentation and disclosure

OBJECTIVES AND STRATEGIES AND RELATED BUSINESS RISKS Examples of matters an auditor may consider include:

• Existence of objectives (i.e., how the entity addresses industry, regulatory and other external factors) relating to, for example, the following: o Industry developments (potential related business risk – entity does not have the

personnel or expertise to deal with the changes in the industry) o New products and services (potential related business risk – increased product

liability) o Expansion of the business (potential related business risk – demand has not been

accurately estimated) o New accounting requirements (potential related business risk – incomplete or

improper implementation, increased costs) o Regulatory requirements (potential related business risk – increased legal exposure)


Page 34 of 43

o Current and prospective financing requirements (potential related business risk – loss of financing due to inability to meet requirements)

o Use of IT (potential related business risk – systems and processes not compatible)

• Effects of implementing a strategy, particularly any effects that will lead to new accounting requirements (potential related business risk – incomplete or improper implementation)

MEASUREMENT AND REVIEW OF THE ENTITY'S FINANCIAL PERFORMANCE Examples of matters an auditor may consider include:

• Key ratios and operating statistics

• Key performance indicators

• Employee performance measures and incentive compensation policies

• Trends

• Use of forecasts, budgets and variance analysis

• Analyst reports and credit rating reports

• Competitor analysis

• Period-on-period financial performance (revenue growth, profitability, leverage)


Page 35 of 43

Appendix 2: Internal Control Components 1. This appendix discusses the five internal control components listed in paragraph 51 and

further described in paragraphs 41 through 44 and 50 through 94 as they relate to a financial statement audit.

CONTROL ENVIRONMENT 2. The control environment sets the tone of an organization, influencing the control

consciousness of its people. It is the foundation for effective internal control, providing discipline and structure.

3. The control environment encompasses the following elements:

(a) Communication and enforcement of integrity and ethical values. The effectiveness of controls cannot rise above the integrity and ethical values of the people who create, administer, and monitor them. Integrity and ethical values are essential elements of the control environment which influence the design, administration, and monitoring of other components. Integrity and ethical behavior are the product of the entity's ethical and behavioral standards, how they are communicated, and how they are reinforced in practice. They include management's actions to remove or reduce incentives and temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts. They also include the communication of entity values and behavioral standards to personnel through policy statements and codes of conduct and by example.

(b) Commitment to competence. Competence is the knowledge and skills necessary to accomplish tasks that define the individual's job. Commitment to competence includes management's consideration of the competence levels for particular jobs and how those levels translate into requisite skills and knowledge.

(c) Participation by those charged with governance. An entity's control consciousness is influenced significantly by those charged with governance. Attributes of those charged with governance include independence from management, their experience and stature, the extent of their involvement and scrutiny of activities, the appropriateness of their actions, the information they receive, the degree to which difficult questions are raised and pursued with management and their interaction with internal and external auditors.

(d) Management's philosophy and operating style. Management's philosophy and operating style encompass a broad range of characteristics. Such characteristics may include the following: management's approach to taking and monitoring business risks; management's attitudes and actions toward financial reporting (conservative or aggressive selection from available alternative accounting principles, and conscientiousness and conservatism with which accounting estimates are developed); and management's attitudes toward information processing and accounting functions and personnel.

(e) Organizational structure. An entity's organizational structure provides the framework within which its activities for achieving entity-wide objectives are


Page 36 of 43

planned, executed, controlled, and reviewed. Establishing a relevant organizational structure includes considering key areas of authority and responsibility and appropriate lines of reporting. An entity develops an organizational structure suited to its needs. The appropriateness of an entity's organizational structure depends, in part, on its size and the nature of its activities.

(f) Assignment of authority and responsibility. This factor includes how authority and responsibility for operating activities are assigned and how reporting relationships and authorization hierarchies are established. It also includes policies relating to appropriate business practices, knowledge and experience of key personnel, and resources provided for carrying out duties. In addition, it includes policies and communications directed at ensuring that all personnel understand the entity's objectives, know how their individual actions interrelate and contribute to those objectives, and recognize how and for what they will be held accountable.

(g) Human resource policies and practices. Human resource policies and practices relate to recruitment, orientation, training, evaluating, counseling, promoting, compensating, and remedial actions. For example, standards for recruiting the most qualified individuals—with emphasis on educational background, prior work experience, past accomplishments, and evidence of integrity and ethical behavior—demonstrate an entity's commitment to competent and trustworthy people. Training policies that communicate prospective roles and responsibilities and include practices such as training schools and seminars illustrate expected levels of performance and behavior. Promotions driven by periodic performance appraisals demonstrate the entity's commitment to the advancement of qualified personnel to higher levels of responsibility.

Application to Small Entities 4. Small entities may implement the control environment elements differently than larger

entities. For example, small entities might not have a written code of conduct but, instead, develop a culture that emphasizes the importance of integrity and ethical behavior through oral communication and by management example. Similarly, those charged with governance in small entities may not include an independent or outside member.

ENTITY’S RISK ASSESSMENT PROCESS 5. An entity's risk assessment process is its process for identifying and responding to

business risks and the results thereof. For financial reporting purposes, the entity’s risk assessment process includes how management identifies risks relevant to the preparation of financial statements that give a true and fair view (or are presented fairly, in all material respects) in accordance with the entity’s applicable financial reporting framework, estimates their significance, assesses the likelihood of their occurrence, and decides upon actions to manage them. For example, the entity’s risk assessment process may address how the entity considers the possibility of unrecorded transactions or identifies and analyzes significant estimates recorded in the financial statements. Risks relevant to reliable financial reporting also relate to specific events or transactions.


Page 37 of 43

6. Risks relevant to financial reporting include external and internal events and

circumstances that may occur and adversely affect an entity's ability to initiate, record, process, and report financial data consistent with the assertions of management in the financial statements. Once risks are identified, management considers their significance, the likelihood of their occurrence, and how they should be managed. Management may initiate plans, programs, or actions to address specific risks or it may decide to accept a risk because of cost or other considerations. Risks can arise or change due to circumstances such as the following:

• Changes in operating environment. Changes in the regulatory or operating environment can result in changes in competitive pressures and significantly different risks.

• New personnel. New personnel may have a different focus on or understanding of internal control.

• New or revamped information systems. Significant and rapid changes in information systems can change the risk relating to internal control.

• Rapid growth. Significant and rapid expansion of operations can strain controls and increase the risk of a breakdown in controls.

• New technology. Incorporating new technologies into production processes or information systems may change the risk associated with internal control.

• New business models, products, or activities. Entering into business areas or transactions with which an entity has little experience may introduce new risks associated with internal control.

• Corporate restructurings. Restructurings may be accompanied by staff reductions and changes in supervision and segregation of duties that may change the risk associated with internal control.

• Expanded foreign operations. The expansion or acquisition of foreign operations carries new and often unique risks that may affect internal control, for example, additional or changed risks from foreign currency transactions.

• New accounting pronouncements. Adoption of new accounting principles or changing accounting principles may affect risks in preparing financial statements.

Application to Small Entities 7. The basic concepts of the entity’s risk assessment process should be present in every

entity, regardless of size, but the risk assessment process is likely to be less formal and less structured in small entities than in larger ones. All entities should have established financial reporting objectives, but they may be recognized implicitly rather than explicitly in small entities. Management may be able to learn about risks related to these objectives through direct personal involvement with employees and outside parties.


Page 38 of 43

INFORMATION SYSTEM AND RELATED BUSINESS PROCESSES RELEVANT TO FINANCIAL REPORTING AND COMMUNICATION 8. An information system consists of infrastructure (physical and hardware components),

software, people, procedures, and data. Infrastructure and software will be absent, or have less significance, in systems that are exclusively or primarily manual. Many information systems make extensive use of information technology (IT).

9. The information system relevant to financial reporting objectives, which includes the

financial reporting system, consists of the procedures, and records established to initiate, record, process, and report entity transactions and to maintain accountability for the related assets, liabilities, and equity. Transactions may be initiated manually or automatically by programmed procedures. Recording includes identifying and capturing the relevant information for transactions or events. Processing includes functions such as edit and validation, calculation, measurement, valuation, summarization, and reconciliation, whether performed by automated or manual procedures. Reporting relates to the preparation of financial reports as well as other information, in electronic or printed format, that the entity uses in measuring and reviewing the entity’s financial performance and in other functions. The quality of system-generated information affects management's ability to make appropriate decisions in managing and controlling the entity's activities and to prepare reliable financial reports.

10. Accordingly, an information system encompasses methods and records that:

• Identify and record all valid transactions.

• Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions for financial reporting.

• Measure the value of transactions in a manner that permits recording their proper monetary value in the financial statements.

• Determine the time period in which transactions occurred to permit recording of transactions in the proper accounting period.

• Present properly the transactions and related disclosures in the financial statements. 11. Communication involves providing an understanding of individual roles and

responsibilities pertaining to internal control over financial reporting. It includes the extent to which personnel understand how their activities in the financial reporting information system relate to the work of others and the means of reporting exceptions to an appropriate higher level within the entity. Open communication channels help ensure that exceptions are reported and acted on.

12. Communication takes such forms as policy manuals, accounting and financial reporting

manuals, and memoranda. Communication also can be made electronically, orally, and through the actions of management.


Page 39 of 43

Application to Small Entities 13. Information systems and related business processes relevant to financial reporting in

small entities are likely to be less formal than in larger entities, but their role is just as significant. Small entities with active management involvement may not need extensive descriptions of accounting procedures, sophisticated accounting records, or written policies. Communication may be less formal and easier to achieve in a small entity than in a larger entity due to the small entity’s size and fewer levels as well as management's greater visibility and availability.

CONTROL PROCEDURES 14. Control procedures are the policies and procedures that help ensure that management

directives are carried out, for example, that necessary actions are taken to address risks to achievement of the entity's objectives. Control procedures, have various objectives and are applied at various organizational and functional levels.

15. Generally, control procedures that may be relevant to an audit may be categorized as

policies and procedures that pertain to the following:

• Performance reviews. These control procedures include reviews of actual performance versus budgets, forecasts, and prior period performance; relating different sets of data—operating or financial—to one another, together with analyses of the relationships and investigative and corrective actions; and review of functional or activity performance, such as a bank's consumer loan manager's review of reports by branch, region, and loan type for loan approvals and collections.

• Information processing. A variety of controls are performed to check accuracy, completeness, and authorization of transactions. The two broad groupings of information systems control procedures are application controls and general controls. Application controls apply to the processing of individual applications. These controls help ensure that transactions occurred, are authorized, and are completely and accurately recorded and processed. General controls commonly include controls over data center and network operations; system software acquisition and maintenance; access security; and application system acquisition, development, and maintenance. These controls apply to mainframe, miniframe, and end-user environments. Examples of such general controls are program change controls, controls that restrict access to programs or data, controls over the implementation of new releases of packaged software applications, and controls over system software that restrict access to or monitor the use of system utilities that could change financial data or records without leaving an audit trail.

• Physical controls. These activities encompass the physical security of assets, including adequate safeguards such as secured facilities, over access to assets and records; authorization for access to computer programs and data files; and periodic counting and comparison with amounts shown on control records. The extent to which physical controls intended to prevent theft of assets are relevant to the reliability of financial statement preparation, and therefore the audit, depends on circumstances such as when assets are highly susceptible to misappropriation. For


Page 40 of 43

example, these controls would ordinarily not be relevant when any inventory losses would be detected pursuant to periodic physical inspection and recorded in the financial statements. However, if for financial reporting purposes management relies solely on perpetual inventory records, the physical security controls would be relevant to the audit.

• Segregation of duties. Assigning different people the responsibilities of authorizing transactions, recording transactions, and maintaining custody of assets is intended to reduce the opportunities to allow any person to be in a position to both perpetrate and conceal errors or fraud in the normal course of the auditor’s duties.

Application to Small Entities 16. The concepts underlying control procedures in small entities are likely to be similar to

those in larger entities, but the formality with which they operate varies. Further, small entities may find that certain types of control procedures are not relevant because of controls applied by management. For example, management's retention of authority for approving credit sales, significant purchases, and draw-downs on lines of credit can provide strong control over those activities, lessening or removing the need for more detailed control procedures. An appropriate segregation of duties often appears to present difficulties in small entities. Even companies that have only a few employees, however, may be able to assign their responsibilities to achieve appropriate segregation or, if that is not possible, to use management oversight of the incompatible activities to achieve control objectives.

MONITORING OF CONTROLS 17. Monitoring of controls is a process to assess the quality of internal control performance

over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions. Monitoring is done to ensure that controls continue to operate effectively. Monitoring of controls is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two.

18. Ongoing monitoring activities are built into the normal recurring activities of an entity

and include regular management and supervisory activities. Managers of sales, purchasing, and production at divisional and corporate levels are in touch with operations and may question reports that differ significantly from their knowledge of operations.

19. In many entities, internal auditors or personnel performing similar functions contribute to

the monitoring of an entity's controls through separate evaluations. They regularly provide information about the functioning of internal control, focusing considerable attention on evaluating the design and operation of internal control. They communicate information about strengths and weaknesses and recommendations for improving internal control.

20. Monitoring activities may include using information from communications from external

parties. Customers implicitly corroborate billing data by paying their invoices or


Page 41 of 43

complaining about their charges. In addition, regulators may communicate with the entity concerning matters that affect the functioning of internal control, for example, communications concerning examinations by bank regulatory agencies. Also, management may consider communications relating to internal control from external auditors in performing monitoring activities.

Application to Small Entities 21. Ongoing monitoring activities of small entities are more likely to be informal and are

typically performed as a part of the overall management of the entity's operations. Management's close involvement in operations often will identify significant variances from expectations and inaccuracies in financial data.


Page 42 of 43

Appendix 3: Conditions and Events That May Indicate Risks of Material Misstatement The following are examples of conditions and events that may indicate the existence of risks of material misstatement. The examples provided cover a broad range of conditions and events; however, not all conditions and events are relevant to every audit engagement and the list of examples is not necessarily complete.

• Operations in regions that are economically unstable, for example, countries with significant currency devaluation or highly inflationary economies.

• Operations exposed to volatile markets, for example, futures trading.

• High degree of complex regulation.

• Going concern and liquidity issues including loss of significant customers.

• Constraints on the availability of capital and credit.

• Changes in the industry in which the entity operates.

• Changes in the supply chain.

• Developing or offering new products or services, or moving into new lines of business.

• Expanding into new locations.

• Changes in the entity such as large acquisitions or reorganizations or other unusual events.

• Entities or business segments likely to be sold.

• Complex alliances and joint ventures.

• Use of off-balance-sheet finance, special-purpose entities, and other complex financing arrangements.

• Significant transactions with related parties.

• Lack of personnel with appropriate accounting and financial reporting skills.

• Changes in key personnel including departure of key executives.

• Weaknesses in internal control, especially those not addressed by management.

• Inconsistencies between the entity’s IT strategy and its business strategies.

• Changes in the IT environment.

• Installation of significant new IT systems related to financial reporting.

• Inquiries into the entity’s operations or financial results by regulatory or government bodies.

• Past misstatements, history of errors or a significant amount of adjustments at period end.

• Significant amount of non-routine or nonsystematic transactions including intercompany transactions and large revenue transactions at period end.


Page 43 of 43

• Transactions that are recorded based on management’s intent, for example, debt refinancing, assets to be sold and classification of marketable securities.

• Application of new accounting pronouncements.

• Complex processes related to accounting measurements.

• Events or transactions that result in significant measurement uncertainty, including accounting estimates.

• Pending litigation and contingent liabilities, for example, sales warranties, financial guarantees and environmental remediation.

IFAC

International

Auditing

and Assurance

Standards Board

October 2002

Exposure Draft


The Auditor’s Procedures in

Response to Assessed Risks Proposed International Standard on Auditing


The International

Federation of

Accountants

ISA XX, “THE AUDITOR’S PROCEDURES IN RESPONSE TO ASSESSED RISKS”

Page 1 of 16

CONTENTS

Paragraphs Introduction ................................................................................................................ 1–4

Overall Responses ...................................................................................................... 5–7

Audit Procedures Responsive to Risks of Material Misstatement at the Assertion Level .................................................................. 8–57

Considering the Nature, Timing and Extent of Audit Procedures ................................................................................................ 10–21

Nature .......................................................................................................... 10–13

Timing ......................................................................................................... 14–17

Extent ........................................................................................................... 18–21

Tests of Controls ................................................................................................. 22–42

Nature of Tests of Controls .......................................................................... 26–30

Timing of Tests of Controls ......................................................................... 31–40

Extent of Tests of Controls ………………………………………… .......... 41–42

Substantive Procedures …………………………………………………........... 43–57

Nature of Substantive Procedures ............................................................... 46–49

Timing of Substantive Procedures ............................................................... 50–54

Extent of the Performance of Substantive Procedures ................................ 55–57

Evaluating the Sufficiency and Appropriateness of Audit Evidence Obtained ................................................................................... 58–64

Documentation ........................................................................................................... 65

Effective Date ............................................................................................................. 66


Page 2 of 16

International Standards on Auditing (ISAs) are to be applied in the audit of financial statements. ISAs are also to be applied, adapted as necessary, to the audit of other information and to related services. ISAs contain the basic principles and essential procedures (identified in bold type black lettering) together with related guidance in the form of explanatory and other material. The basic principles and essential procedures are to be interpreted in the context of the explanatory and other material that provide guidance for their application. To understand and apply the basic principles and essential procedures together with the related guidance, it is necessary to consider the whole text of the ISA including explanatory and other material contained in the ISA, not just that text which is black lettered. In exceptional circumstances, an auditor may judge it necessary to depart from an ISA in order to more effectively achieve the object of an audit. When such a situation arises, the auditor should be prepared to justify the departure. ISAs need only be applied to material matters. The Public Sector Perspective (PSP) issued by the Public Sector Committee of the International Federation of Accountants is set out at the end of an ISA. Where no PSP is added, the ISA is applicable in all material respects to the public sector.


Page 3 of 16


provide guidance on determining overall responses and designing and performing further audit procedures to respond to the assessed risks of material misstatement at the financial statement and assertion levels. The auditor’s understanding of the entity and its environment, including its internal control, and assessment of the risks of material misstatement are described in ISA XX, “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement.”

2. The following is an overview of the requirements of this standard:

• Overall responses. This section requires the auditor to determine overall responses to address the risks of material misstatement at the financial statement level and provides guidance on the nature of those responses.

• Audit procedures responsive to risks of material misstatement at the assertion level. This section requires the auditor to design and perform further audit procedures, including tests of controls, where relevant, and substantive procedures, whose nature, timing and extent are responsive to the assessed risks of material misstatement at the assertion level. In addition, this section includes matters the auditor considers in determining the nature, timing and extent of such audit procedures.

• Evaluating the sufficiency and appropriateness of audit evidence obtained. This section requires the auditor to evaluate whether the risk assessments remain appropriate and to conclude whether sufficient appropriate audit evidence has been obtained.

• Documentation. This section establishes related documentation requirements.

3. The auditor should determine overall responses to assessed risks at the financial

statement level, and should design the nature, timing and extent of further audit procedures to respond to assessed risks at the assertion level to reduce audit risk to an acceptably low level. As part of obtaining an understanding of the entity and its environment, including its internal control, the auditor performs risk assessment procedures to assess the risks of material misstatement. The auditor determines overall responses to the risks of material misstatement of the financial statements and designs and performs further audit procedures whose nature, timing and extent are responsive to the assessed risks of material misstatement at the assertion level in order to obtain sufficient appropriate audit evidence on which to base the audit opinion. The overall responses and the nature, timing and extent of the further audit procedures to be performed are matters for the professional judgment of the auditor.

4. In addition to the requirements of this ISA, when planning and performing further audit

procedures relating to the risk of material misstatement due to fraud, the auditor also complies with the requirements and guidance in ISA 240, “The Auditor’s Responsibility to Consider Fraud and Error in an Audit of Financial Statements.”


Page 4 of 16

Overall Responses 5. The auditor should determine overall responses to address the risks of material

misstatement at the financial statement level. Such overall responses may include emphasizing to the audit team the need to maintain professional skepticism in gathering and evaluating audit evidence, assigning more experienced staff or those with special skills or using experts, providing more supervision, or incorporating additional elements of unpredictability in the selection of further audit procedures to be performed. Additionally, the auditor may make general changes to the nature, timing or extent of audit procedures as an overall response, for example, performing substantive procedures at period end instead of at an interim date.

6. The assessment of the risks of material misstatement at the financial statement level is

affected by the auditor’s assessment of the control environment. An effective control environment enables audit procedures to be conducted at an interim date rather than at period end, and may allow the auditor to have more confidence in internal control and the reliability of audit evidence generated internally within the entity. If there are weaknesses in the control environment, the auditor may, for example, conduct more audit procedures as of the period end rather than at an interim date, seek more extensive audit evidence from substantive procedures, or increase the number of locations to be included in the audit scope. For example, if there were an identified risk of management override, such that fictitious transactions may be recorded by the entity, it may be appropriate to place more emphasis on audit evidence obtained from third parties.

7. Such considerations, therefore, have a significant bearing on the auditor’s general

approach, for example, an emphasis on substantive procedures (substantive approach), or an approach that uses tests of controls as well as substantive procedures (combined approach).

Audit Procedures Responsive to Risks of Material Misstatement at the Assertion Level 8. The auditor should design and perform further audit procedures whose nature,

timing and extent are responsive to the assessed risks of material misstatement at the assertion level. The purpose of this requirement is to provide a clear link between the nature, timing and extent of the auditor’s further audit procedures and the risk assessments. In designing further audit procedures, the auditor considers such matters as the significance of the risk; the likelihood that a material misstatement will occur; the characteristics of the class of transactions, account balance or disclosure involved; the nature of the specific controls used by the entity including the entity’s use of information technology (IT); and whether the auditor expects to obtain audit evidence to determine if the entity’s controls are effective in preventing, or detecting and correcting, material misstatements. The nature of the audit procedures is of most importance in responding to the assessed risks.

9. The auditor’s assessment of the identified risks at the assertion level provides a basis for

considering the appropriate audit approach for designing and performing further audit procedures. In some cases, the auditor may determine that only tests of the operating effectiveness of controls are responsive to the assessed risk of material misstatement for a particular assertion. In other cases, the auditor may determine that only substantive


Page 5 of 16

procedures are appropriate for specific assertions. This may be because the auditor’s risk assessment procedures have not identified any effective controls relevant to the assertion, or because testing the operating effectiveness of controls would be inefficient. In such cases, the auditor excludes the effect of controls from the relevant risk assessment. However, the auditor needs to be satisfied that performing only substantive procedures would be effective in reducing audit risk to an acceptably low level. Often the auditor may determine that a combined approach using both tests of the operating effectiveness of controls and substantive procedures is an effective approach.

CONSIDERING THE NATURE, TIMING AND EXTENT OF AUDIT PROCEDURES

Nature 10. The nature of audit procedures refers to their purpose (tests of controls or substantive

procedures) and their type, that is, inspection, observation, inquiry, confirmation, recalculation, reperformance, or analytical procedures. Certain audit procedures may be more appropriate for some assertions than others. For example, in relation to revenue, tests of controls may be most appropriate in relation to the completeness assertion, while substantive procedures may be most appropriate in relation to the occurrence assertion.

11. The auditor’s selection of audit procedures is based upon the assessment of risk. The

higher the auditor’s assessment of risk, the more reliable and relevant is the audit evidence sought by the auditor. This may affect both the types of audit procedures to be performed and their combination. For example, the auditor may confirm the completeness of the terms of a contract with a third party, in addition to inspecting the document.

12. In determining the audit procedures to be performed, the auditor considers the reasons

for each risk assessment. For example, if the auditor considers that there is a lower risk because of the particular characteristics of the class of transactions (that is, inherent risks), the auditor may determine that substantive analytical procedures alone may provide sufficient appropriate audit evidence. On the other hand, if the auditor expects that there is a lower risk that a material misstatement may arise because an entity has effective controls and the auditor intends to design the nature, timing and extent of planned substantive procedures based on the effective operation of those controls, then the auditor performs tests of controls to obtain audit evidence about their operating effectiveness. For example, the risk of misstatement may be considered low for a class of transactions of reasonably uniform, non-complex characteristics that are routinely processed and controlled by the entity’s information system.

13. Where information used by the auditor to perform audit procedures is produced by

the entity’s information system, the auditor should obtain evidence about the accuracy and completeness of the information.

Timing 14. Timing refers to when audit procedures are performed or the period or date to which the

audit evidence applies.


Page 6 of 16

15. The auditor may perform tests of controls or substantive procedures at an interim date or

at period end. The higher the risk of material misstatement, the more likely it is that the auditor may decide it is more effective to perform substantive procedures nearer to, or at, the period end rather than at an earlier date, or to perform audit procedures unannounced or at unpredictable times. On the other hand, performing audit procedures before the period end may enable the auditor to consider significant matters as they arise in developing an effective audit approach to address these matters. If the auditor performs tests of controls or substantive procedures prior to period end, the auditor considers the additional evidence required for the remaining period (see paragraphs 33 through 35, and 50 through 54).

16. In considering when to perform audit procedures, the auditor also considers such matters

as:

• When relevant information is available (for example, electronic files may subsequently be overwritten, or procedures to be observed may occur only at certain times).

• The nature of the risk (for example, if there is a risk of inflated revenues to meet earnings expectations by subsequent creation of false sales agreements, the auditor may wish to examine contracts available on the date of the period end).

• The period or date to which the audit evidence relates.

• The control environment. 17. Certain audit procedures can be performed only at or after period end, for example,

agreeing the financial statements to the accounting records and examining adjustments made during the course of preparing the financial statements. If there is a risk that the entity may have entered into improper sales contracts or transactions may not have been finalized at period end, the auditor may, especially with respect to revenue, perform procedures to respond to that specific risk. For example, where transactions are individually significant or where an error in cut-off may lead to a material misstatement, the auditor inspects transactions near the period end.

Extent 18. Extent includes the quantity of a specific audit procedure to be performed, for example, a

sample size or the number of observations of a control procedure. The extent of an audit procedure is determined by the judgment of the auditor after considering the materiality, the assessed risk, and the degree of assurance the auditor plans to obtain. In particular, the auditor ordinarily increases the extent of audit procedures as the risk of material misstatement increases. However, increasing the extent of an audit procedure is only effective if the audit procedure itself is relevant to the specific risk; therefore, the nature of an audit procedure is the most important consideration.

19. The use of computer-assisted audit techniques (CAATs) may enable more extensive

testing of electronic transactions and account files. Such techniques can be used to select


Page 7 of 16

sample transactions from key electronic files, to sort transactions with specific characteristics, or to test an entire population instead of a sample.

20. Valid conclusions may ordinarily be drawn using sampling approaches. However, if the

quantity of selections made from a population is too small, the sampling approach selected is not appropriate to the circumstances, or if exceptions are not appropriately followed up on, there will be an unacceptable risk that the auditor’s conclusion based on a sample may be different from the conclusion reached if the entire population was subjected to the same audit procedure. ISA 530, “Audit Sampling and Other Selective Testing Procedures” contains guidance on the use of sampling.

21. This standard regards the use of different procedures in combination as an aspect of the

nature of testing as discussed above. However, the auditor considers whether the extent of testing is appropriate when performing different procedures in combination.

TESTS OF CONTROLS 22. When the auditor's assessment of risks of material misstatement at the assertion

level is based on an expectation that controls are operating effectively, the auditor should perform tests of controls to obtain sufficient appropriate audit evidence that the controls were operating effectively at relevant times during the period under audit. Tests of the operating effectiveness of controls may be performed on controls that the auditor has determined are suitably designed to prevent, or detect and correct, a material misstatement in an assertion. Paragraphs 99 through 101 of ISA XX, “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement” discuss the identification of controls at the assertion level likely to prevent, or detect and correct, a material misstatement in a class of transactions, account balance or disclosure.

23. Where, in accordance with paragraph 110 of ISA XX, “Understanding the Entity

and Its Environment and Assessing the Risks of Material Misstatement”, the auditor has determined that it is not possible or practicable to reduce the risks of material misstatement at the assertion level to an acceptably low level with audit evidence obtained only from substantive procedures, the auditor should perform tests of controls to obtain audit evidence about their operating effectiveness.

24. Testing the operating effectiveness of controls is different from obtaining audit evidence

that controls have been implemented. When obtaining audit evidence of implementation by performing risk assessment procedures, the auditor determines that the relevant controls exist and that the entity is using them. When performing tests of the operating effectiveness of controls, the auditor obtains audit evidence that controls operate effectively. This includes obtaining audit evidence about how controls were applied at relevant times during the period under audit, the consistency with which they were applied, and by whom or by what means they were applied. If substantially different controls were used at different times during the period under audit, the auditor considers each separately. The auditor may determine that testing the operating effectiveness of controls at the same time as evaluating their design and obtaining audit evidence of their implementation is efficient.


Page 8 of 16

25. In addition, although some risk assessment procedures that the auditor performed to

evaluate the design of controls and to determine that they have been implemented may not have been specifically planned as tests of controls, they may nevertheless provide audit evidence about the operating effectiveness of the controls and, consequently, serve as tests of controls. For example, because of the inherent consistency of IT processing, performing risk assessment procedures to determine whether an automated control has been implemented may serve as a test of that control’s operating effectiveness, depending on such factors as whether the program has been changed or whether there is a significant risk of unauthorized change or other improper intervention. Also, in obtaining an understanding of the control environment, the auditor may have made inquiries about management's use of budgets, observed management's comparison of monthly budgeted and actual expenses, and inspected reports pertaining to the investigation of variances between budgeted and actual amounts. Although these procedures provide knowledge about the design of the entity's budgeting policies and whether they have been implemented, they may also provide audit evidence about the effectiveness of the operation of budgeting policies in preventing or detecting material misstatements in the classification of expenses. In such circumstances, the auditor considers whether the audit evidence provided by those tests is sufficient.

Nature of Tests of Controls 26. The auditor selects audit procedures to obtain assurance about the operating effectiveness

of controls. As the planned level of assurance increases, the auditor seeks more reliable audit evidence. In circumstances when the auditor adopts an approach consisting primarily of tests of controls, in particular related to those risks where it is not possible or practicable to obtain sufficient appropriate audit evidence only from substantive procedures, the auditor ordinarily performs tests of controls to obtain a higher level of assurance about their operating effectiveness. Inquiry alone will not provide sufficient appropriate audit evidence for testing the operating effectiveness of controls. Tests of the operating effectiveness of controls ordinarily include those procedures used to evaluate the design of controls and determine whether they have been implemented, and also includes reperformance of the application of the control by the auditor. Often, the auditor uses a combination of audit procedures to obtain sufficient audit evidence regarding the operating effectiveness of a control. For example, an auditor may observe the procedures for opening the mail and processing cash receipts to test the operating effectiveness of controls over cash receipts. Because an observation is pertinent only at a point in time at which it is made, the auditor may supplement the observation with inquiries of entity personnel and inspection of documentation about the operation of such controls at other times during the audit period.

27. The nature of the particular control influences the type of audit procedure required to

obtain audit evidence about whether the control was operating effectively at relevant times during the period under audit. For some controls, operating effectiveness is evidenced by documentation. In such circumstances, the auditor may decide to inspect the documentation to obtain audit evidence about operating effectiveness. For other controls, however, such documentation may not be available or relevant. For example, documentation of operation may not exist for some factors in the control environment,


Page 9 of 16

such as assignment of authority and responsibility, or for some types of control procedures, such as control procedures performed by a computer. In such circumstances, audit evidence about operating effectiveness may be obtained through audit procedures such as observation, inquiry, or the use of CAATs.

28. In designing tests of controls, the auditor considers the need to obtain audit evidence

supporting the effective operation of controls directly related to the assertions as well as other indirect controls on which these controls depend. For example, the auditor may identify a user review of an exception report of credit sales over a customer’s authorized credit limit as a direct control related to an assertion. In such cases, the auditor considers the effectiveness of the user review of the report and also the controls related to the accuracy of the information in the report (for example, the general controls).

29. In the case of an IT application control, because of the inherent consistency of IT

processing, audit evidence about the implementation of the control, when considered in combination with audit evidence obtained regarding the operating effectiveness of the entity’s general controls (and in particular, change controls) may provide substantial audit evidence about its operating effectiveness during the relevant period.

30. When responding to the risk assessment, the auditor may use tests of details as tests of

controls. The objective of tests of details performed as tests of controls is to evaluate whether a control operated effectively. The objective of tests of details performed as substantive procedures is to detect material misstatements in the financial statements. Although these objectives are different, both may be accomplished concurrently through performance of a test of details on the same transaction, also known as a dual-purpose test. For example, the auditor may examine an invoice to determine whether it has been approved and to provide substantive audit evidence of a transaction. The auditor gives consideration to the design and evaluation of such tests to accomplish both objectives. The absence of misstatements detected by a substantive procedure does not imply that controls related to the assertion being tested are effective.

Timing of Tests of Controls 31. The timing of the tests of controls depends on the auditor’s objective and determines the

period of reliance on those controls. If the auditor tests controls at a particular time, the auditor only obtains audit evidence that the controls operated effectively at that time. However, if the auditor tests controls throughout a period, the auditor obtains audit evidence of the effectiveness of the operation of the controls during that period.

32. Audit evidence pertaining only to a point in time may be sufficient for the auditor’s

purpose, for example, when testing controls over the entity’s physical inventory counting at the period end. If, on the other hand, the auditor requires audit evidence of the effectiveness of a control over a period, audit evidence pertaining only to a point in time may be insufficient and the auditor supplements those tests with other tests of controls that are capable of providing audit evidence that the control operated effectively at relevant times during the period under audit. For example, for a control embedded in a computer program, the auditor may test the operation of the control at a particular point in time to obtain audit evidence about whether the control is operating effectively at that


Page 10 of 16

point in time. The auditor then may perform tests of controls directed toward obtaining audit evidence about whether the control operated consistently during the audit period, such as tests of general controls pertaining to the modification and use of that computer program during the audit period.

33. When the auditor obtains audit evidence about the operating effectiveness of

controls during an interim period, the auditor should determine what additional audit evidence should be obtained for the remaining period.

34. In making that determination, the auditor considers the significance of the assessed risks

of material misstatement at the assertion level, the specific controls that were tested during the interim period, the degree to which audit evidence about the operating effectiveness of those controls was obtained, the length of the remaining period, the audit evidence about operating effectiveness that may result from the substantive procedures performed with regard to the remaining period and the overall control environment. The auditor obtains audit evidence about the nature and extent of any significant changes in internal control, including changes in the information system, processes, and personnel that occur subsequent to the interim period.

35. Additional audit evidence may be obtained by extending the testing of the operating

effectiveness of controls over the remaining period, considering the entity’s monitoring of controls, or performing substantive procedures.

36. If the auditor plans to use audit evidence about the operating effectiveness of

controls obtained in prior audits, the auditor should obtain audit evidence about whether changes in those specific controls have occurred subsequent to the prior audit. The auditor should obtain audit evidence about whether such changes have occurred by a combination of observation, inquiry and inspection to confirm the understanding of those specific controls. For example, in performing the prior audit, the auditor may have determined that an automated control was functioning as intended. The auditor obtains audit evidence to determine whether changes to the automated control have been made that affect its continued effective functioning, for example, through the inspection of logs to indicate what controls have been changed. Consideration of audit evidence about these changes may support either increasing or decreasing the expected audit evidence to be obtained in the current period about the operating effectiveness of the controls.

37. If the auditor plans to rely on controls that have changed since they were last tested,

the auditor should test the operating effectiveness of such controls in the current audit. Changes may affect the relevance of the audit evidence obtained in prior periods such that there may no longer be a basis for continued reliance. For example, changes in a system that enable an entity to receive a new report from the system probably do not affect the relevance of prior period audit evidence; however, a change that causes data to be accumulated or calculated differently does affect it.

38. If the auditor plans to rely on controls that have not changed since they were last

tested, the auditor should test the operating effectiveness of such controls at least every third audit. In considering the length of time period that may elapse before


Page 11 of 16

retesting a control, the auditor considers the control environment, the entity’s monitoring of controls, general IT controls, and the effectiveness of the control and its application by the entity. However, the auditor is required to retest a control being relied on at least every third audit, because the longer the time elapsed since the testing of the control was performed, the less audit evidence it may provide about the effectiveness of the control in the current audit period and the greater reliance on controls such as change controls. Factors that may decrease the period for retesting include a weak control environment, manual controls, personnel changes and weak general controls. The higher the risk of material misstatement, or the greater the reliance on controls, the shorter the time elapsed is likely to be.

39. Where there are a number of controls for which the auditor determines it is

appropriate to use audit evidence obtained in prior audits, the auditor should test the operating effectiveness of some controls each audit. The purpose of this requirement is to avoid the possibility that the auditor might follow the approach of paragraph 38 to all controls on which the auditor proposes to rely, but test all those controls in a single audit period with no testing of controls in the subsequent two audit periods. In addition to providing audit evidence about the operating effectiveness of the controls being tested in the current audit, performing such tests provides collateral evidence about the continuing effectiveness of the control environment and therefore contributes to the decision about whether it is appropriate to rely on audit evidence obtained in prior audits.


and Its Environment and Assessing the Risks of Material Misstatement,” the auditor has determined that an assessed risk of material misstatement at the assertion level is a significant risk and the auditor plans to rely on the operating effectiveness of controls intended to mitigate that significant risk, the auditor should obtain all audit evidence about the operating effectiveness of those controls from tests of controls performed in the current period. The greater the risk of material misstatement, the more audit evidence the auditor obtains that controls are operating effectively. Accordingly, the auditor does not rely on audit evidence obtained in a prior audit about the operating effectiveness of controls over such risks.

Extent of Tests of Controls 41. The more the auditor relies on the operating effectiveness of controls in the assessment

of risk, the greater is the extent of the auditor’s tests of controls. In addition, as the rate of expected deviation of a particular attribute increases, the auditor increases the extent of testing of the control.

42. However, because of the inherent consistency of IT processing, the auditor may not need

to increase the extent of testing of an IT control. A programmed application control should function consistently unless the program (including the tables, files, or other permanent data used by the program) is changed. Once the auditor determines that an automated control is functioning as intended (which could be done at the time the control is initially implemented or at some other date), the auditor considers performing tests to determine that the control continues to function effectively. Such tests might include


Page 12 of 16

determining that changes to the program are not made without being subject to the appropriate program change controls, that the authorized version of the program is used for processing transactions, and that other relevant general controls are effective. Such tests also might include determining that changes to the programs have not been made, as may be the case when the entity uses packaged software applications without modifying or maintaining them.

SUBSTANTIVE PROCEDURES 43. The auditor plans and performs substantive procedures to be responsive to the related

assessment of the risk of material misstatement. The higher the assessed risk, the more likely it is that the substantive procedures will be performed close to the period end and the extent of such procedures increases. Further, the higher the assessed risk, the more critical becomes the nature of the substantive procedures. Although the auditor may alter the nature, timing and extent of substantive procedures when the auditor has performed tests of controls to obtain audit evidence about their operating effectiveness, the auditor’s assessment of risk is judgmental and may not be sufficiently precise to identify all risks of material misstatement. Further, there are inherent limitations to internal control including management override. Irrespective of the assessed risk of material misstatement, the auditor should plan and perform substantive procedures for each material class of transactions, account balance and disclosure.


and Its Environment and Assessing the Risks of Material Misstatement,” the auditor has determined that an assessed risk of material misstatement at the assertion level is a significant risk, the auditor should perform substantive procedures that are specifically responsive to that risk. For example, if the auditor identifies that management is under pressure to meet earnings expectations, there may be a related risk that management is inflating sales by entering into sales agreements that include terms that preclude revenue recognition or by invoicing sales before delivery. In these circumstances, the auditor may, for example, design external confirmations not only to confirm outstanding amounts, but also to confirm the details of the sales agreements, including date, any rights of return and delivery terms. In addition, the auditor may find it effective to supplement such external confirmations with inquiries of non-financial personnel in the entity regarding any changes in sales agreements and delivery terms.

45. When the approach consists only of substantive procedures, the audit procedures

appropriate to address such significant risks consist of tests of details only, or a combination of tests of details and substantive analytical procedures designed to provide a high level of assurance. If the auditor chooses to perform tests of details only, the tests of details are performed using audit procedures designed to obtain audit evidence having higher reliability. For significant risks, it is not likely that audit evidence obtained from substantive analytical procedures alone will be sufficient.

Nature of Substantive Procedures 46. Substantive procedures include tests of details and substantive analytical procedures.

Substantive analytical procedures are generally more applicable to large volumes of


Page 13 of 16

transactions that tend to be predictable over time. Tests of details are ordinarily more appropriate to obtain audit evidence regarding certain financial statement assertions, including existence and valuation.

47. The auditor designs tests of details responsive to the assessed risk with the objective of

obtaining sufficient appropriate audit evidence to achieve the planned level of assurance at the assertion level. In designing substantive procedures related to the existence or occurrence assertion, the auditor selects from items contained in a financial statement amount and searches for relevant audit evidence. On the other hand, in designing audit procedures related to the completeness assertion, the auditor selects from audit evidence indicating that an item should be included in the relevant financial statement amount and investigates whether that item is so included. For example, the auditor might inspect subsequent cash disbursements to determine whether any purchases had been omitted from accounts payable.

48. In designing substantive analytical procedures, the auditor considers such matters as:

• The suitability of using substantive analytical procedures given the assertions.

• The reliability of the data, whether internal or external, from which the expectation of recorded amounts or ratios is developed.

• Whether the expectation is sufficiently precise to identify a material misstatement at the desired level of assurance.

• The amount of any difference of recorded amounts from expected values that is acceptable.

The auditor considers testing the controls, if any, over the entity’s preparation of information used by the auditor in applying analytical procedures. When such controls are effective, the auditor has greater confidence in the reliability of the information and, therefore, in the results of analytical procedures. Alternatively, the auditor may consider whether the information was subjected to audit testing in the current or prior period.

49. The auditor’s substantive procedures include agreeing the financial statements to the

accounting records, examining material adjustments made during the course of preparing the financial statements and other procedures relating to the financial reporting closing process.

Timing of Substantive Procedures 50. When substantive procedures are performed at an interim date, the auditor should

perform further substantive procedures or substantive procedures combined with tests of controls to cover the remaining period that provide a reasonable basis for extending the audit conclusions from the interim date to the period end.

51. In some circumstances, substantive procedures may be performed at an interim date. This

increases the risk that misstatements that may exist at the period end are not detected by the auditor. This risk increases as the remaining period is lengthened. In considering whether to perform substantive procedures at an interim date, the auditor considers: the control environment, other relevant controls, the objective of the substantive procedure,


Page 14 of 16

the assessed risk of material misstatement, the nature of the class of transactions or account balance and related assertions, and the ability of the auditor to reduce the risk by performing appropriate substantive procedures or substantive procedures combined with tests of controls to cover the remaining period.

52. Ordinarily, the auditor compares and reconciles information concerning the balance at

the period end with the comparable information at the interim date to identify amounts that appear unusual, investigates any such amounts, and performs substantive analytical procedures or tests of details to test the intervening period.

53. If misstatements are detected in classes of transactions or account balances at an interim

date, the auditor ordinarily modifies the related assessment of risk and the planned nature, timing or extent of the substantive procedures covering the remaining period that relate to such classes of transactions or account balances, or extends or repeats such audit procedures at the period end.

54. Performing audit procedures at an interim date may assist the auditor in identifying and

resolving issues at an early stage of the audit. Consequently, interim testing may be of particular importance despite the requirement for the auditor to perform further audit procedures where procedures are performed at an interim date.

Extent of the Performance of Substantive Procedures 55. The greater the risk of material misstatement, the greater the extent of substantive

procedures. However, increasing the extent of an audit procedure is only appropriate if the audit procedure itself is relevant to the specific risk. Because the risk of material misstatement takes account of internal control, the extent of substantive procedures may be reduced by satisfactory results from tests of the operating the effectiveness of controls.

56. In planning tests of details, the extent of testing is ordinarily thought of in terms of the

sample size, which is affected by the risk of material misstatement. ISA 530, “Audit Sampling and Other Selective Testing Procedures” contains guidance on the use of sampling. In planning analytical procedures, the auditor considers the amount of difference from the expectation that can be accepted without further investigation. This consideration is influenced primarily by materiality and the consistency with the desired level of assurance. Determination of this amount involves considering the possibility that a combination of misstatements in the specific account balances, or class of transactions, or other balances or classes could aggregate to an unacceptable amount. In designing substantive analytical procedures, the auditor increases the desired level of assurance as the risk of material misstatement increases. ISA 520, “Analytical Procedures” contains guidance on the application of analytical procedures during an audit.

57. The use of CAATs may enable more extensive testing of electronic transactions and files.

For example, in performing audit procedures at the assertion level, such techniques may be used to test an entire population instead of a sample.


Page 15 of 16

Evaluating the Sufficiency and Appropriateness of Audit Evidence Obtained 58. Based on the audit procedures performed and the audit evidence obtained, the

auditor should evaluate whether the assessments of the risks of material misstatement at the assertion level remain appropriate.

59. An audit of financial statements is a cumulative and iterative process. As the auditor

performs planned audit procedures, the audit evidence obtained may cause the auditor to modify the nature, timing, or extent of other planned audit procedures. Information may come to the auditor's attention that differs significantly from the information on which the risk assessments were based. For example, the extent of misstatements that the auditor detects by performing substantive procedures may alter the auditor’s judgment about the risk assessments. In addition, analytical procedures performed at the overall review stage of the audit may indicate a previously unrecognized risk of material misstatement. In such circumstances, the auditor may need to reevaluate the planned audit procedures, based on the revised consideration of assessed risks for all or some of the classes of transactions, account balances or disclosures and related assertions.

60. The concept of effectiveness of the operation of controls recognizes that some deviations

in the way controls are applied by the entity may occur. Deviations from prescribed controls may be caused by such factors as changes in key personnel, significant seasonal fluctuations in volume of transactions and human error. When such deviations are detected, the auditor makes specific inquiries to understand these matters and their potential consequences, for example, by inquiring about the timing of personnel changes in key internal control functions. The auditor determines whether the tests of controls performed provide an appropriate basis for reliance on the controls, whether additional tests of controls are necessary, or whether the potential risks of misstatement need to be addressed using substantive procedures.

61. The auditor cannot assume that an instance of fraud or error is an isolated occurrence.

Therefore, before the conclusion of the audit, the auditor evaluates whether audit risk has been reduced to an acceptably low level and whether the nature, timing and extent of the audit procedures may need to be reconsidered. For example, the auditor reconsiders:

• The nature, timing, and extent of substantive procedures.

• The audit evidence of the operating effectiveness of relevant controls, including the entity’s risk assessment process.

62. The auditor should conclude whether sufficient appropriate audit evidence has been

obtained to reduce to an acceptably low level the risk of material misstatement in the financial statements. In developing an opinion, the auditor considers all relevant audit evidence, regardless of whether it appears to corroborate or to contradict the assertions in the financial statements.

63. The sufficiency and appropriateness of audit evidence to support the auditor’s

conclusions throughout the audit are a matter of professional judgment. The auditor’s judgment as to what constitutes sufficient appropriate audit evidence is influenced by such factors as the:


Page 16 of 16

• Significance of the potential misstatement in the assertion and the likelihood of its having a material effect, individually or aggregated with other potential misstatements, on the financial statements.

• Effectiveness of management’s responses and controls to address the risks.

• Experience gained during previous audits with respect to similar potential misstatements.

• Results of audit procedures performed, including whether such audit procedures identified specific instances of fraud or error.

• Source and reliability of the available information.

• Persuasiveness of the audit evidence.

• Understanding of the entity and its environment, including its internal control. 64. If the auditor has not obtained sufficient appropriate audit evidence as to a material

financial statement assertion, the auditor should attempt to obtain further audit evidence. If the auditor is unable to obtain sufficient appropriate audit evidence, the auditor should express a qualified opinion or a disclaimer of opinion. See ISA 700, “The Auditor’s Report on Financial Statements,” for further guidance.

Documentation 65. The auditor should document the overall responses to the risks of material

misstatement at the financial statement level and the nature, timing and extent of the further audit procedures, the linkage of those procedures with the assessed risks at the assertion level, and the results of the audit procedures. The manner in which these matters are documented is based on the auditor’s professional judgment.


XXXX.

IFAC

International

Auditing

and Assurance

Standards Board

October 2002

Exposure Draft


Audit Evidence Proposed International Standard on Auditing


The International

Federation of

Accountants

ISA XX, “AUDIT EVIDENCE”

Page 1 of 9

CONTENTS

Paragraphs Introduction ................................................................................................................. 1-2 Concept of Audit Evidence.......................................................................................... 3-6 Concept of Assertions.................................................................................................. 7 Sufficient Appropriate Audit Evidence ...................................................................... 8-14 Audit Procedures for Obtaining Audit Evidence ........................................................ 15-36 Inspection of Records or Documents .................................................................. 22-23 Inspection of Tangible Assets .............................................................................. 24 Observation ........................................................................................................ 25 Inquiry ................................................................................................................. 26-32 Confirmation ....................................................................................................... 33 Recalculation ...................................................................................................... 34 Reperformance .................................................................................................... 35 Analytical Procedures.......................................................................................... 36 Effective Date.............................................................................................................. 37

International Standards on Auditing (ISAs) are to be applied in the audit of financial statements. ISAs are also to be applied, adapted as necessary, to the audit of other information and to related services.

ISAs contain the basic principles and essential procedures (identified in bold type black lettering) together with related guidance in the form of explanatory and other material. The basic principles and essential procedures are to be interpreted in the context of the explanatory and other material that provide guidance for their application.

To understand and apply the basic principles and essential procedures together with the related guidance, it is necessary to consider the whole text of the ISA including explanatory and other material contained in the ISA, not just that text which is black lettered.

In exceptional circumstances, an auditor may judge it necessary to depart from an ISA in order to more effectively achieve the object of an audit. When such a situation arises, the auditor should be prepared to justify the departure.

ISAs need only be applied to material matters. The Public Sector Perspective (PSP) issued by the Public Sector Committee of the International Federation of Accountants is set out at the end of an ISA. Where no PSP is added, the ISA is applicable in all material respects to the public sector.


Page 2 of 9


to provide guidance on what constitutes audit evidence in an audit of financial statements, the quantity and quality of audit evidence to be obtained, and the audit procedures that auditors use for obtaining that audit evidence.

2. The auditor should obtain sufficient appropriate audit evidence to be able to draw

reasonable conclusions on which to base the audit opinion.

Concept of Audit Evidence 3. “Audit evidence” is all of the information used by the auditor in arriving at the

conclusions on which the audit opinion is based, and includes the accounting records underlying the financial statements and other information. Auditors are not expected to address all information that may exist. Audit evidence, which is cumulative in nature, includes audit evidence obtained from audit procedures performed during the course of the audit, and may include audit evidence obtained from other sources such as previous audits and a firm’s quality control procedures for acceptance and retention of clients.

4. Accounting records generally include the records of initial entries and supporting records

such as checks and records of electronic fund transfers; invoices; contracts; the general and subsidiary ledgers, journal entries and other adjustments to the financial statements that are not reflected in formal journal entries; and records such as work sheets and spreadsheets supporting cost allocations, computations, reconciliations and disclosures. The entries in the accounting records are often initiated, recorded, processed and reported in electronic form. In addition, the accounting records may be part of integrated systems that share data and support all aspects of the entity’s financial reporting, operations and compliance objectives.

5. Management prepares the financial statements based upon the accounting records of the

entity. The auditor obtains some audit evidence by testing the accounting records, for example, through analysis and review, reperforming procedures followed in the financial reporting process, and reconciling related types and applications of the same information. Through the performance of such audit procedures, the auditor may determine that the accounting records are internally consistent and agree to the financial statements. However, because accounting records alone do not provide sufficient audit evidence on which to base an audit opinion on the financial statements, the auditor obtains other audit evidence.

6. Other information that the auditor may use as audit evidence includes minutes of

meetings; confirmations from third parties; analysts’ reports; comparable data about competitors (benchmarking); controls manuals; information obtained by the auditor from such audit procedures as inquiry, observation, and inspection; and other information developed by, or available to, the auditor which permits the auditor to reach conclusions through valid reasoning.


Page 3 of 9

Concept of Assertions 7. Management is responsible for the fair presentation of financial statements that reflect

the nature and operations of the entity in accordance with the applicable financial reporting framework. In representing that the financial statements give a true and fair view (or are presented fairly, in all material respects) in accordance with the applicable financial reporting framework, management implicitly makes the assertions identified below. The auditor uses assertions in assessing risks by considering the different types of potential misstatements that may occur, and thereby to design audit procedures that are appropriate.1

(a) Assertions about classes of transactions and events for the period under audit include:

(i) Occurrence—transactions and events that have been recorded have occurred and pertain to the entity;

(ii) Completeness—all transactions and events that should have been recorded have been recorded;

(iii) Accuracy—amounts and other data relating to recorded transactions and events have been recorded accurately;

(iv) Cutoff—transactions and events have been recorded in the correct accounting period;

(v) Classification—transactions and events have been recorded in the proper accounts;

(b) Assertions about account balances at the period end include:

(i) Existence—assets, liabilities, and equity interests exist;

(ii) Rights and obligations—the entity holds or controls the rights to assets and liabilities are the obligations of the entity;

(iii) Completeness—all assets, liabilities and equity interests that should have been recorded have been recorded;

(iv) Valuation—assets, liabilities and equity interests are included in the financial statements at appropriate amounts and any resulting valuation adjustments are appropriately recorded;

(c) Assertions about presentation and disclosure include:

(i) Occurrence and rights and obligations—disclosed matters have occurred and pertain to the entity;

(ii) Completeness—all disclosures that should have been included in the financial statements have been included;

(iii) Transparency—financial information is appropriately classified and disclosures are understandable;

1 The assertions essentially deal with recognition and measurement of the various elements of financial

statements and related disclosures.


Page 4 of 9

(iv) Accuracy and valuation—financial and other information are disclosed fairly and at appropriate amounts.

Sufficient Appropriate Audit Evidence 8. Sufficiency is the measure of the quantity of audit evidence. Appropriateness is the

measure of the quality of audit evidence; that is, its relevance and its reliability in providing support for, or detecting misstatements in, the classes of transactions, account balances and disclosures and related assertions. The quantity of audit evidence needed is affected by the risk of misstatement (the greater the risk, the more audit evidence is required) and also by the quality of such audit evidence (the higher the quality, the less is required). Accordingly, the sufficiency and appropriateness of audit evidence are interrelated.

9. A given set of audit procedures may provide audit evidence that is relevant to certain

assertions, but not others. For example, examination of the collection of receivables after the period end may provide audit evidence regarding both existence and valuation, though not necessarily the appropriateness of period-end cutoffs. On the other hand, the auditor often seeks audit evidence from different sources or of a different nature that is relevant to the same assertion. For example, the auditor may analyze the aging of accounts receivable and the subsequent collection of receivables to obtain audit evidence relating to the valuation of the allowance for doubtful accounts. Furthermore, obtaining audit evidence relating to a particular assertion, for example, audit evidence concerning the physical existence of inventory, is not a substitute for obtaining audit evidence regarding another assertion, for example, audit evidence about the valuation of inventory.

10. The reliability of audit evidence is influenced by its source and by its nature and is

dependent on the individual circumstances under which it is obtained. Generalizations about the reliability of various kinds of audit evidence can be made; however, such generalizations are subject to important exceptions. For example, audit evidence obtained from an independent external source may not be reliable if the source is not knowledgeable. While recognizing that exceptions may exist, the following generalizations about the reliability of audit evidence may be useful:

• Audit evidence is more reliable when it is obtained from independent sources outside the entity.

• Audit evidence that is generated internally is more reliable when the related controls imposed by the entity are effective.

• Audit evidence obtained directly by the auditor (for example, observation of the application of a control) is more reliable than audit evidence obtained indirectly or by inference (for example, inquiry about the application of a control).

• Audit evidence is more reliable when it exists in documentary form, whether paper, electronic, or other media (for example, a contemporaneously written record of a meeting is more reliable than a subsequent oral representation of what was discussed).


Page 5 of 9

• Audit evidence provided by original documents is more reliable than audit evidence provided by photocopies or facsimiles.

11. An audit rarely involves the authentication of documentation, nor is the auditor trained as

or expected to be an expert in such authentication. However, the auditor considers the reliability of the information to be used as audit evidence, for example, photocopies, facsimiles, filmed, digitized or other electronic documents, including consideration of controls over their preparation and maintenance where relevant.

12. Audit evidence is more reliable when the auditor obtains consistent audit evidence from

different sources or of a different nature. In these circumstances, the auditor may obtain more assurance than from items of audit evidence considered individually. For example, corroborating information obtained from a source independent of the entity may increase the assurance the auditor obtains from a management representation. Conversely, when audit evidence obtained from one source is inconsistent with that obtained from another, the auditor determines what additional audit procedures are necessary to resolve the inconsistency.

13. The auditor considers the relationship between the cost of obtaining audit evidence and

the usefulness of the information obtained. However, the matter of difficulty or expense involved is not in itself a valid basis for omitting an audit procedure for which there is no alternative.

14. The auditor uses professional judgment in determining the quantity and quality of audit

evidence, and thus its sufficiency and appropriateness, to support the audit opinion. Both the individual assertions in financial statements and the overall proposition that the financial statements as a whole give a true and fair view (or are presented fairly, in all material respects) are of such a nature that the auditor is seldom convinced beyond all doubt with respect to the financial statements being audited. In forming the audit opinion the auditor does not ordinarily examine all the information available because conclusions can be reached by using sampling approaches. Ordinarily, the auditor finds it necessary to rely on audit evidence that is persuasive rather than conclusive; however, in order to obtain reasonable assurance, the auditor is not satisfied with audit evidence that is less than persuasive.

Audit Procedures for Obtaining Audit Evidence 15. The auditor obtains audit evidence to draw reasonable conclusions on which to base the

audit opinion by performing audit procedures to:

(a) Obtain an understanding of the entity and its environment, including its internal control, in order to assess the risks of material misstatement at the financial statement and assertion levels (audit procedures performed for this purpose are referred to in the ISAs as “risk assessment procedures”);

(b) Where necessary or where the auditor has determined to do so, test the operating effectiveness of controls in preventing, or detecting and correcting, material misstatements at the assertion level (audit procedures performed for this purpose are referred to in the ISAs as “tests of controls”); and


Page 6 of 9

(c) Support assertions or detect material misstatements at the assertion level (audit procedures performed for this purpose are referred to in the ISAs as “substantive procedures” and include tests of details on classes of transactions, account balances and disclosures and substantive analytical procedures).

16. The auditor always performs risk assessment procedures to provide a satisfactory basis

for the assessment of risks at the financial statement and assertion levels. Risk assessment procedures by themselves do not provide sufficient appropriate audit evidence on which to base the audit opinion, however, and are supplemented by further audit procedures in the form of tests of controls and substantive procedures.

17. Tests of controls are required where the auditor’s risk assessment assumes the operating

effectiveness of controls. In particular, the auditor obtains audit evidence about the operating effectiveness of controls where substantive procedures alone do not provide sufficient appropriate audit evidence.

18. The auditor plans and performs substantive procedures to be responsive to the related

assessment of the risk of material misstatement, which includes the results of tests of controls, if any. The auditor’s risk assessment is judgmental, however, and may not be sufficiently precise to identify all risks of material misstatement. Further, there are inherent limitations to internal control including the risk of management override, the possibility of human error and the effect of systems changes. Therefore, substantive procedures for material classes of transactions, account balances and disclosures are always required to obtain sufficient appropriate audit evidence.

19. The auditor uses one or more types of audit procedures described in paragraphs 22 to 36

below. These audit procedures, or combinations thereof, may be used as risk assessment procedures, tests of controls or substantive procedures, depending on the context in which they are applied by the auditor. Audit evidence obtained from previous audits may provide audit evidence where the auditor performs audit procedures to establish its continuing relevance.

20. The nature and timing of the audit procedures to be used may be affected by the fact that

some of the accounting data and other information may be available only in electronic form or only at certain points or periods in time. Source documents such as purchase orders, bills of lading, invoices, and checks may be replaced with electronic messages. For example, entities may use Electronic Data Interchange (EDI) or image processing systems. In EDI, the entity and its customers or suppliers use communication links to transact business electronically. Purchase, shipping, billing, cash receipt, and cash disbursement transactions are often consummated entirely by the exchange of electronic messages between the parties. In image processing systems, documents are scanned and converted into electronic images to facilitate storage and reference, and the source documents may not be retained after conversion. Certain electronic information may exist at a certain point in time. However, such information may not be retrievable after a specified period of time if files are changed and if backup files do not exist. An entity’s data retention policies may require the auditor to request retention of some information for the auditor’s review or to perform audit procedures at a time when the information is available.


Page 7 of 9

21. Where the information is in electronic form, the auditor may carry out certain of the audit

procedures described below through computer-assisted audit techniques (CAATs).

INSPECTION OF RECORDS OR DOCUMENTS 22. Inspection consists of examining records or documents, whether internal or external, in

paper form, electronic form, or other media. Inspection of records and documents provides audit evidence of varying degrees of reliability, depending on their nature and source and, in the case of internal records and documents, on the effectiveness of the controls over their production. An example of inspection used as a test of controls is inspection of records or documents supporting transactions and other events to corroborate inquiries, such as verifying that a transaction has been authorized.

23. Some documents represent direct audit evidence of the existence of an asset, for

example, a document constituting a financial instrument such as a stock or bond. Inspection of such documents may not necessarily provide audit evidence about ownership or value. In addition, inspecting an executed contract may provide audit evidence relevant to the entity’s application of accounting principles, such as revenue recognition.

INSPECTION OF TANGIBLE ASSETS 24. Inspection of tangible assets consists of physical examination of the assets. Inspection of

tangible assets may provide reliable audit evidence with respect to their existence, but not necessarily as to the entity’s rights and obligations or the valuation of the assets. Inspection of individual inventory items ordinarily accompanies the observation of inventory counting.

OBSERVATION 25. Observation consists of looking at a process or procedure being performed by others.

Examples include observation of the counting of inventories by the entity’s personnel and observation of the performance of control procedures. Observation provides audit evidence about the performance of a process or procedure, but is limited to the point in time at which the observation takes place and by the fact that the act of being observed may affect how the process or procedure is performed. See ISA 501, “Audit Evidence—Additional Considerations for Specific Items,” for further guidance on observation of the counting of inventory.

INQUIRY 26. Inquiry consists of seeking information of knowledgeable persons, both financial and

non-financial, throughout the entity or outside the entity. Inquiry is an audit procedure that is used extensively throughout the audit and often is complementary to performing other audit procedures. Inquiries may range from formal written inquiries to informal oral inquiries. Evaluating responses to inquiries is an integral part of the inquiry process.


Page 8 of 9

27. Inquiry involves:

(a) Considering the knowledge, objectivity, experience, responsibility and qualifications of the individual to be questioned;

(b) Asking clear, concise and relevant questions;

(c) Using open or closed questions appropriately;

(d) Listening actively and effectively;

(e) Considering the reactions and responses and asking follow-up questions; and

(f) Evaluating the response. 28. In some cases, replies to inquiries take the form of written representations from

management. See ISA 580, “Management Representations,” for further guidance on written representations.

29. Responses to inquiries may provide the auditor with information not previously

possessed or with corroborative audit evidence. Alternatively, responses might provide information that differs significantly from other information that the auditor has obtained, for example, information regarding the possibility of management override of controls. In some cases, responses to inquiries provide a basis for the auditor to modify or perform additional audit procedures.

30. The auditor’s ability to evaluate the reliability of audit evidence obtained from responses

to inquiries is also affected by the training, knowledge and experience of the auditor performing the inquiry, because the auditor analyzes and assesses responses while performing the inquiry and refines subsequent inquiries according to the circumstances. When obtaining oral responses to inquiries, the nature of the response may be so significant that it warrants obtaining written representation from the source.

31. The auditor ordinarily performs audit procedures in addition to the use of inquiry to

obtain sufficient appropriate audit evidence. Inquiry alone ordinarily will not provide sufficient audit evidence to detect a material misstatement at the assertion level or to evaluate the design of a control and to determine whether it has been implemented.

32. Although corroboration of evidence obtained through inquiry is often of particular

importance, in the case of inquiries about management intent, the information available to support management’s intent may be limited. In these cases, understanding management’s past history of carrying out its stated intentions with respect to assets or liabilities, management’s stated reasons for choosing a particular course of action, and management’s ability to pursue a specific course of action may provide relevant information about management’s intent.

CONFIRMATION 33. Confirmation, which is a specific type of inquiry, is the process of obtaining a

representation of information or of an existing condition directly from a third party. For example, the auditor may seek direct confirmation of receivables by communication with


Page 9 of 9

debtors. Confirmations are frequently used in relation to account balances and their components, but need not be restricted to these items. For example, the auditor may request confirmation of the terms of agreements or transactions an entity has with third parties. The confirmation request is designed to ask if any modifications have been made to the agreement, and if so, what the relevant details are. Confirmations also are used to obtain audit evidence about the absence of certain conditions, for example, the absence of a “side agreement” that may influence revenue recognition. See ISA 505, “External Confirmations,” for further guidance on confirmations.

RECALCULATION 34. Recalculation consists of checking the mathematical accuracy of documents or records.

Recalculation can be performed through the use of information technology, for example, by obtaining an electronic file from the entity and using CAATs to check the accuracy of the summarization of the file.

REPERFORMANCE 35. Reperformance is the auditor’s independent execution of procedures or controls that were

originally performed as part of the entity’s internal control, either manually or through the use of CAATs, for example, reperforming the aging of accounts receivable.

ANALYTICAL PROCEDURES 36. Analytical procedures consist of evaluations of financial information made by a study of

plausible relationships among both financial and non-financial data. Analytical procedures also encompass the investigation of identified fluctuations and relationships that are inconsistent with other relevant information or deviate significantly from predicted amounts. See ISA 520, “Analytical Procedures,” for further guidance on analytical procedures.


XXXX.